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Quantum computers can execute algorithms that dramatically outperform classical computation. As the 
best-known example, Shor discovered an efficient quantum algorithm for factoring integers, whereas factoring 
appears to be difficult for classical computers. Understanding what other computational problems can be 
solved significantly faster using quantum algorithms is one of the major challenges in the theory of quantum 
computation, and such algorithms motivate the formidable task of building a large-scale quantum computer. This 
article reviews the current state of quantum algorithms, focusing on algorithms with superpolynomial speedup 
over classical computation, and in particular, on problems with an algebraic flavor. 
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I. INTRODUCTION 

In the early 1980s, Manin (1980) and Feynman (1982) in- 
dependently observed that computers built from quantum me- 
chanical components would be ideally suited to simulating 
quantum mechanics. Whereas brute-force classical simula- 
tion of a system of n quantum particles (say, two-level atoms) 
requires storing 2" complex amplitudes, and hence exponen- 
tially many bits of information, a quantum computer can nat- 
urally represent those amplitudes using only n quantum bits. 
Thus, it is natural to expect a quantum mechanical computer 
to outperform a classical one at quantum simulation. ' 

The perspective of quantum systems as abstract informa- 
tion processing devices subsequently led to the identification 
of concrete tasks, apparently unrelated to quantum mechan- 
ics, for which quantum computers have a quantifiable advan- 
tage. Deutsch (1985) gave the first such example, a black- 
box problem that requires two queries to solve on a clas- 
sical computer, but that can be solved with only one quan- 
tum query. A series of related results (Bernstein and Vazirani, 
1997; Deutsch and Jozsa, 1992) gave increasingly dramatic 
separations between classical and quantum query complex- 
ity, culminating in an example of Simon (1997) providing an 
exponential separation. Building on this work, Shor (1997) 
discovered in 1994 that a quantum computer could efficiently 
factor integers and calculate discrete logarithms. Shor's re- 
sult drew considerable attention to the concept of quantum in- 
formation processing (see Ekert and Jozsa (1996) for an early 
review), and since then, the design and analysis of quantum 
algorithms has become a vibrant research area. 

Quantum computers achieve speedup over classical compu- 
tation by taking advantage of interference between quantum 
amplitudes. Of course, interference occurs in classical wave 
mechanics as well, but quantum mechanics is distinguished 
by the ability to efficiently represent a large number of am- 
plitudes with only a few quantum bits.^ In Shor's algorithm 
and its predecessors, the "exponential interference" leading 
to quantum speedup is orchestrated using a unitary operation 
called the quantum Fourier transform (QFT), an algebraic op- 
eration. In this article, we review the state of the art in quan- 
tum algorithms for algebraic problems, which can be viewed 
as continuations of the line of work leading from Deutsch to 
Shor. Many, though not all, of these algorithms make use of 



In principle, quantum systems evolving according to simple interactions 
from a simple initial configuration can be described using fewer param- 
eters, and classical simulations exploiting this idea have been developed 
(see for example Perez-Garci'a et al. (2007)). But while these ideas are 
extremely fruitful for simulating some quantum systems, we do not ex- 
pect them to be efficient for any physically reasonable system — in particu- 
lar, not for systems capable of performing universal quantum computation. 
However, we emphasize that there is no unconditional proof that classical 
simulation of quantum systems requires exponential overhead. 
^ A similar situation occurs for the description of n probabilistic bits by 
2" real-valued probabilities. However, probabilities do not interfere; and 
contrary to the quantum case, randomized algorithms are not believed to 
be dramatically more powerful than deterministic ones (see for example 
Impagliazzo and Wigderson (1997)). 



the QFT in some capacity. 

Before beginning our exploration of quantum algorithms 
for algebraic problems, we briefly summarize the develop- 
ment of quantum algorithms more generally. It has sometimes 
been said that there are really only two quantum algorithms: 
Shor's and Grover's. We hope that this article will, in some 
small way, help to dispel this pernicious myth. While it is dif- 
ficult to compete with the impact of Shor's algorithm (a dra- 
matic speedup for a problem profoundly relevant to modern 
electronic commerce) or the broad applicability of Grover's 
algorithm (a modest yet surprising speedup for the most basic 
of search problems), recent years have seen a steady stream of 
new quantum algorithms, both for artificial problems that shed 
light on the power of quantum computation, and for problems 
of genuine practical interest. 

In 1996, Grover (1997) gave an algorithm achieving 
quadratic speedup^ for the unstructured search problem, the 
problem of deciding whether a black-box Boolean func- 
tion has any input that evaluates to 1. Grover's algo- 
rithm was subsequently generalized to the framework of 
amplitude amplification and to counting the number of so- 
lutions (Brassard ef fl/., 2002). The unstructured search 
problem is extremely basic, and Grover's algorithm has 
found application to a wide variety of related problems 
(e.g., Ambainis and Spalek (2006); Brassard ef a/. (1997); 
Diirr et al. (2004)). 

The concept of quantum walk, developed by analogy to the 
classical notion of random walk, has proven to be another 
broadly useful tool for quantum algorithms. Continuous- 
time quantum walk was introduced by Farhi and Gutmann 
(1998), and discrete-time quantum walk was introduced by 
Watrous (2001b). The continuous-time formulation has been 
used to demonstrate exponential speedup of quantum over 
classical computation (Childs ef a/., 2003, 2007), though it 
remains to be seen whether these ideas can be applied to 
a problem of practical interest. However, both continuous- 
and discrete-time quantum walk have been applied to achieve 
polynomial speedup for a variety of search problems. Follow- 
ing related work on spatial search (Aaronson and Ambainis, 
2005; Ambainis etal, 2005; Childs and Goldstone, 2004a,b; 
Shenvi ef al., 2003), Ambainis (2007) gave an optimal quan- 
tum algorithm for the element distinctness problem. This ap- 
proach was subsequently generalized (Magniez ef aZ., 2007; 
Szegedy, 2004) and applied to other problems in query com- 
plexity, namely triangle finding (Magniez et al., 2005), check- 
ing matrix multiplication (Buhrman and Spalek, 2006), and 
testing group commutativity (Magniez and Nayak, 2007). Re- 
cently, quantum walk has also been applied to give optimal 
quantum algorithms for evaluating balanced binary game trees 
(Farhi efflZ., 2007) and, more generally. Boolean formulas 
(Ambainis ef al, IQQl; Reichardt and Spalek, 2008). 



Prior to Grover's result it was already shown by Bennett et al. (1997) that 
a quadratic speedup for the unstructured search problem is optimal. More 
generally, for any total Boolean function, there can be be at most a polyno- 
mial separation (in general, at most degree 6) between classical and quan- 
tum query complexity (Beals et al, 2001). 
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A related technique for quantum algorithms is the concept 
of adiabatic evolution. The quantum adiabatic theorem guar- 
antees that a quantum system in its ground state will remain 
close to its ground state as the Hamiltonian is changed, pro- 
vided the change is sufficiently slow, depending on spectral 
properties of the Hamiltonian (see for example Born and Fock 
(1928); Jansen et al. (2007)). Farhi et al (2000) proposed us- 
ing adiabatic evolution as an approach to optimization prob- 
lems. Unfortunately, analyzing this approach is challeng- 
ing. While it is possible to construct specific cost functions 
for which specific formulations of adiabatic optimization fail 
(van Dam ef fl/., 2001; van Dam and Vazirani, 2003; Fisher, 
1992; Reichardt, 2004), the performance in general remains 
poorly understood. Going beyond the setting of optimization 
problems, note that adiabatic evolution can simulate a univer- 
sal quantum computer (Aharonov et al., 2007b). 

Finally, returning to the original motivation for quan- 
tum computation, Manin and Feynman's vision of quan- 
tum computers as quantum simulators has been considerably 
developed (e.g., Aspuru-Guzik ef aZ. (2005); Lloyd (1996); 
Wiesner (1996); ZaUca (1998)). However, it has proven diffi- 
cult to identify a concrete computational task involving quan- 
tum simulation for which the speedup over classical comput- 
ers can be understood precisely. While it is widely expected 
that quantum simulation will be one of the major applications 
of quantum computers, much work remains to be done. 

The main body of this article is organized as follows. In 
Section II, we give a brief introduction to the model of quan- 
tum computation and the complexity of quantum algorithms. 
In Section III, we introduce the Abelian quantum Fourier 
transform, and in Section IV, we show how this transform 
can be applied to solve the Abelian hidden subgroup problem, 
with various applications. In Section V, we describe quantum 
algorithms for problems involving number fields, including 
the efficient quantum algorithm for solving Pell's equation. In 
Section VI, we introduce the non- Abelian version of the quan- 
tum Fourier transform, and in Section VII we discuss the sta- 
tus of the non- Abelian version of the hidden subgroup prob- 
lem. In Sections VIII and IX, we describe two approaches to 
going beyond the hidden subgroup framework, namely hid- 
den shift problems and hidden nonlinear structure problems, 
respectively. Finally, in Section X, we briefly discuss quan- 
tum algorithms for approximating the Jones polynomial and 
other #P-complete problems. 



II. COMPLEXITY OF QUANTUM COMPUTATION 

In this section we give a brief introduction to quantum com- 
puters, with particular emphasis on characterizing computa- 
tional efficiency. For more detailed background, the reader is 
encouraged to consult Kaye et al. (2007); Kitaev et al. (2002); 
Nielsen and Chuang (2000); Preskill (1998a). 



A. Quantum data 

A quantum computer is a device for performing calcula- 
tions using a quantum mechanical representation of informa- 
tion. Data are stored using quantum bits, or qubits, the states 
of which can be represented by ^2-normalized vectors in a 
complex vector space. For example, we can write the state 
of n qubits as 



l¥)= L ' 

xG{0,1}" 



(1) 



where the G C satisfy LjrG{o,i}" \'^x\^ = 1- We refer to the 
basis of states \x) as the computational basis. 

Although we can always suppose that our data is repre- 
sented using qubits, it is often useful to think of quantum 
states as storing data more abstractly. For example, given a 
group G, we write \g) for a computational basis state corre- 
sponding to the group element g G G, and 



(2) 



gee 



(where bg G C with Y^qeG l^sP ^ 1) for ™ arbitrary superpo- 
sition over the group. We often implicitly assume that there is 
some canonical way of concisely representing group elements 
using bit strings; it is usually unnecessary to make this repre- 
sentation explicit. We use the convention that for any finite set 
S, the state \S) denotes the normahzed uniform superposition 
of its elements, i.e.. 



\S) 



\s\h 



(3) 



If a quantum computer stores the state \\\t) in one register 
and the state |(|)) in another, the overall state is given by the 
tensor product of those two states. This may variously be de- 
noted |\|/)® |(|)), or |\|/,(|)). 

It can be useful to consider statistical mixtures of pure 
quantum states, represented by density matrices. We refer the 
reader to the references above for further details. 



B. Quantum circuits 

The allowed operations on pure quantum states are those 
that map normalized states to normalized states, namely uni- 
tary operators U, satisfying UU' = WU = 1. When viewed 
as an N X N matrix, the rows (and columns) of U form an 
orthonormal basis of the space C'^. 

To have a sensible notion of efficient computation, we re- 
quire that the unitary operators appearing in a quantum com- 
putation are realized by quantum circuits (Deutsch, 1989; 
Yao, 1993). We are given a set of gates, each of which acts 
on one or two qubits at a time, meaning that it is a tensor 
product of a nontrivial one- or two-qubit operator with the 
identity operator on the remaining qubits. A quantum compu- 
tation begins in the |0. . .0) state, applies a sequence of one- 
and two-qubit gates chosen from the set of allowed gates, and 



4 



finally reports an outcome obtained by measuring in the com- 
putational basis. A circuit is called efficient if it contains a 
number of gates that is polynomial in the number of qubits 
the circuit acts on. 

In principle, any unitary operator on n qubits can be imple- 
mented using only 1- and 2-qubit gates (DiVincenzo, 1995). 
Thus we say that the set of all 1- and 2-qubit gates is (exactly) 
universal. Of course, some unitary operators take many more 
1- and 2-qubit gates to realize than others, and indeed, a sim- 
ple counting argument shows that most unitary operators on n 
qubits can only be realized using an exponentially large circuit 
(KniU, 1995). 

In general, we are content with circuits that give good ap- 
proximations of our desired unitary transformations. We say 
that a circuit with gates Ui,U2, ■ ■ ■ ,Ut approximates U with 
precision e if \\U — Uf ■ ■ U2Ui\\ < e, where |j • |j denotes the 
operator norm, i.e., the largest singular value. We call a set of 
elementary gates universal if any unitary operator on a fixed 
number of qubits can be approximated to precision e using 
poly(log i) elementary gates. It turns out that there are finite 
sets of gates that are universal (Boykin et ai, 2000): for ex- 
ample, the set {H, T,A{X)} with 

/I 0\ 
10 
AiX) := I 1 ■ 
Vo 1 0/ 

There are situations in which a set of gates is effectively 
universal, even though it cannot actually approximate any 
unitary operator on n qubits. For example, the gate set 
{H,T^,A{X),A^{X)}, where A^{X) denotes the Toffoli gate 
(A^iX)\xyz) = \xyz) foi xy e {00,01, 10}, and A^{X)\llz) = 
|llz)) is universal (Kitaev, 1997), but only if we allow the 
use of ancilla qubits (qubits that start and end in the |0) 
state). Similarly, the gate set {H ,A^{X)} is universal in the 
sense that, with ancillas, it can approximate any orthogo- 
nal transformation (Aharonov, 2003; Shi, 2003). It clearly 
cannot approximate complex unitary matrices, since the en- 
tries of H and A^{X) are real; but the effect of arbitrary 
unitary transformations can be simulated using orthogonal 
ones by simulating the real and imaginary parts separately 
(Bernstein and Vazirani, 1993; Rudolph and Grover, 2002). 

One might wonder whether some universal gate sets are bet- 
ter than others. It turns out that the answer is essentially no; 
a unitary operator that can be realized efficiently with one set 
of 1- and 2-qubit gates can also be realized efficiently with 
another such set. This is a consequence of the Solovay-Kitaev 
theorem (Harrow et ai, 2002; Kitaev, 1997; Solovay, 2000): 

Theorem 1. Fix two gate sets that allow universal quantum 
computation and that are closed under taking inverses. Then 
any t-gate circuit using the first gate set can be implemented 
with error at most e using a circuit oft ■ poly (log (f/e)) gates 
from the second gate set. Furthermore, there is an efficient 
classical algorithm for finding this circuit. 



In particular, this means we can view a simple finite gate 
set, such as {i/,r,A(X)}, as equivalent to an infinite gate 
set, such as the set of all two-qubit gates. A finite gate set 
is needed both for fault tolerance (Section II. E) and for the 
concept of uniformly generated circuits (Footnote 4). 

Note that to implement unitary operators exactly, the no- 
tion of efficiency might depend on the allowed gates (see for 
example Mosca and ZaUca (2004)), so we usually restrict our 
attention to quantum computation with bounded error. 

In principle, one can construct quantum circuits adaptively, 
basing the choices of gates on the outcomes of intermedi- 
ate measurements. We may also discard quantum data in 
the course of a circuit. In general, the possible operations 
on mixed quantum states correspond to completely positive, 
trace preserving maps on density matrices. Again, we refer 
the reader to the aforementioned references for more details. 



C. Reversible computation 

Unitary matrices are invertible: in particular, C/^' = f/^. 
Thus any unitary transformation is a reversible operation. 
This may seem at odds with how we often define classical 
circuits, using irreversible gates such as AND and OR. But 
any classical computation can be made reversible by replac- 
ing each irreversible gate x g{x) by the reversible gate 
{x,y) i-^ {x,y(£ig{x)), where © denotes bitwise addition mod- 
ulo 2. Applying this gate to the input (jc,0) produces {x,g{x)). 
By storing all intermediate steps of the computation, we make 
it reversible (Bennett, 1973). 

On a quantum computer, storing all intermediate computa- 
tional steps could present a problem, since two identical re- 
sults obtained via distinct computational histories would not 
be able to interfere. However, there is an easy way to remove 
the accumulated information. After performing the classical 
computation with reversible gates, we simply copy the answer 
into an ancilla register, and then perform the computation in 
reverse. Thus we can implement the map {x,y) y-* {x,y@ f{x)) 
even when / is a complicated circuit consisting of many gates. 

Using this trick, any computation that can be performed ef- 
ficiently on a classical computer can be performed efficiently 
on a quantum computer, even on a superposition of computa- 
tional basis states. In other words, if we can efficiently im- 
plement the map x i-^ f{x) on a classical computer, we can 
efficiently perform the transformation 

Y^a^\x,y)^Y^a^\x,y®f{x)) (6) 

A* A" 

on a quantum computer. Note that this does not necessarily 
mean we can efficiently perform the transformation 

Y^a^\x) i^Y^a^\f{x)), (7) 

X X 

even if the function / is bijective. 
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D. Quantum complexity theory 

We say that an algorithm for a problem is efficient if the 
circuit describing it uses a number of gates that is polynomial 
in the input size, the number of bits needed to write down the 
input."* For example, if the input is an integer modulo A^, the 
input size is [log2A^] . 

With a quantum computer, as with a randomized (or noisy) 
classical computer, the final result of a computation may not 
be correct with certainty. Instead, we are typically content 
with an algorithm that can produce the correct answer with 
high enough probability. To solve a decision problem, it suf- 
fices to give an algorithm with success probability bounded 
above 1/2 (say, at least 2/3), since we can repeat the compu- 
tation many times and take a majority vote to make the proba- 
bility of outputting an incorrect answer arbitrarily small. Sim- 
ilarly, if we can check whether a given solution is correct, it 
suffices to output the correct answer with probability ).^ 

It is common practice to characterize the difficulty of com- 
putational problems using complexity classes (see for example 
Papadimitriou (1994)). Typically, these classes contain deci- 
sion problems, problems with a 'yes' or 'no' answer. (Such 
a problem is conventionally formulated as deciding whether 
a string over some finite alphabet is in a given language; for- 
mally, a complexity class is a set of languages.) For example, 
the problems that can be decided in polynomial time on a de- 
terministic classical computer belong to the class P; on a prob- 
abilistic classical computer with error at most 1/3, to the class 
BPP; and on a quantum computer with error at most 1/3, to 
the class BQP. Clearly, P C BPP C BQP. The central problem 
of quantum algorithms can be viewed as trying to understand 
what problems are in BQP, but not in P (or BPP). 

Whereas the classes P, BPP, and BQP all attempt to char- 
acterize modes of computation that could be carried out in 
practice, computational complexity theory is also concerned 
with more abstract classes that characterize other aspects of 
computation. For example, the class NP corresponds to those 
decision problems for which a 'yes' answer can be verified 
in polynomial time on a classical computer, given a succinct 
proof. It is widely believed that P 7^ NP, and indeed, that 
NP % BQP (though it is also plausible that BQP % NP), but 
proving this appears to be an extremely challenging prob- 



^ Strictly speaking, we would like the circuits for solving instances of a prob- 
lem of different sizes to be related to one another in some simple way. 
Given the ability to choose an arbitrary circuit for each input size, we could 
even have circuits computing uncomputable functions (i.e., functions that a 
Tilling machine could not compute). Thus we require our circuits to be uni- 
formly generated: say, that there exists a fixed (classical) Turing machine 
that, given a tape containing the symbol '1' n times, outputs a description 
of the nth circuit in time poly(;i). 

^ In this article, we use standard big-0 notation, where / = 0(g) if there exist 
positive constants c.y such that \ f{x)\ < c\g{x)\ for all x > y; / = if 
g = 0{f); and / = 0(g) if both / = 0(g) and / = £2(g). The expression 
0.{\-) thus represents a function lower bounded by an unspecified positive 
constant. We write / = o(g) to denote that hmj^oo/(.v)/g(.r) = 0. To 
convey that a function / is bounded from above by a polynomial in the 
function g, we write / = poly(g), which could also be written as / = g'^'''. 



lem (see for example the excellent survey of quantum com- 
plexity by Watrous (2009)). Indeed, it seems almost as diffi- 
cult just to prove P 7^ PSPACE, where PSPACE denotes the 
class of problems that can be decided by a deterministic clas- 
sical computer running in polynomial space. Since BQP C 
PSPACE (Bernstein and Vazirani, 1997) (i.e., any computa- 
tion that can be performed on a quantum computer in poly- 
nomial time can be performed on a classical computer with 
polynomial memory — indeed, even stronger such results are 
known (Adleman ef a/., 1997; Bernstein and Vazirani, 1997; 
Fortnow and Rogers, 1998)), we expect it will be hard to 
prove P 7^ BQP. Instead, we try to find efficient quantum 
algorithms for problems that appear to be hard for classical 
computers. 

While most complexity classes contain decision problems, 
some classes describe the complexity of computing non- 
Boolean functions. For example, the class #P characterizes 
the complexity of counting the number of 'yes' solutions to a 
problem in NP. 

Alternatively, instead of considering natural computational 
problems (in which the input is a string), we sometimes work 
in the setting of query complexity. Here the input is a black- 
box transformation (or oracle) — which in the quantum setting 
is given as a unitary transformation as in Eq. (6) — and our goal 
is to discover some property of the transformation by querying 
it as few times as possible. For example, in Simon's problem 
(Simon, 1997), we are given a black box for a transformation 
/ : {0, 1}" ^ S satisfying f{x) = f{y) iff y e {x,x © f } for 
some unknown t e {0, 1}", and the goal is to learn t. 

The query model facilitates proving lower bounds: it is of- 
ten tractable to estabUsh that many queries must be used to 
solve a given black-box problem, whereas it is generally hard 
to show that many gates are required to compute some ex- 
plicit function. Indeed, we will encounter numerous exam- 
ples of black-box problems that can be solved in polynomial 
time on a quantum computer, but that provably require expo- 
nentially many queries on a randomized classical computer. 
Of course, if we find an efficient algorithm for a problem in 
query complexity, then if we are provided with an explicit, ef- 
ficient circuit realizing the black-box transformation, we will 
have an efficient algorithm for a natural computational prob- 
lem. We stress, however, that lower bounds in the query model 
no longer apply when the black box is thus replaced by a trans- 
parent one. For example, Shor's factoring algorithm (Sec- 
tion IV.E) proceeds by solving a problem in query complexity 
which is provably hard for classical computers. Nevertheless, 
it is an open question whether factoring is classically hard, 
since there might be a fast classical algorithm that does not 
work by solving the query problem. 



E. Fault tolerance 

With any real computer, operations cannot be done per- 
fectly. Quantum gates and measurements may be performed 
imprecisely, and errors may happen even to stored data that 
is not being manipulated. Fortunately, there are protocols for 
dealing with faults that occur during the execution of a quan- 
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turn computation. Specifically, the fault-tolerant threshold 
theorem states that as long as the noise level is below some 
threshold (depending on the noise model and the architec- 
ture of the quantum computer, but typically in the range of 
10^^ to 10^''^), an arbitrarily long computation can be per- 
formed with arbitrarily small error (Aharonov and Ben-Or, 
2008; Kitaev, 1997; Knillef a/., 1996, 1997; Preskill, 1998b; 
Shor, 1996). Throughout this article, we implicitly assume 
that fault-tolerant protocols have been applied, so that we ef- 
fectively have a perfectly functioning quantum computer 



III. ABELIAN QUANTUM FOURIER TRANSFORM 

A. Fourier transforms over finite Abelian groups 

For the group Z /A^Z, the group of integers modulo under 
addition (see Appendix A), the quantum Fourier transform 
(QFT) is a unitary operation F^/wz- Its effect on a basis state 
\x) for anyxeZ/A'Z is 



(8) 



where (i>N '■ = e^"'/^ denotes a primitive Mh root of unity. 

More generally, a finite Abelian group G has \G\ distinct 
one-dimensional irreducible representations (or irreducible 
characters) x|/ S G. These are functions x|/ : G ^ C with 
^{a + b) = for all a,b G G, using additive notation 

for the group operation of G (see Appendix B for further de- 
tails). The quantum Fourier transform Fq over G acts as 



1 



(9) 



for each x e G. 

For example, the group {Z/NZ) x (Z/NZ) has ir- 
reducible representations defined by Vvi .vt • {^1:^2} 



CO'^;-" for all yi,y2 G Z/NZ; hence its quantum Fourier 



transform Fi 



{I./NZ)x{Z/NZ] 



acts as 



\Xl,X2) 



- L 



N 



CO 



lyuyi) 



(10) 



yi,>'2GZ/A'Z 



for all XI, X2 e Z/NZ. In this example, f(z/m)x(z/M) can 
be written as the tensor product /^^/wz ® F^/nz- In gen- 
eral, according to the fundamental theorem of finite Abelian 
groups, any finite Abelian group G can be expressed as a di- 
rect product of cyclic subgroups of prime power order, G ^ 
{Z/p['Z) X • • • X {Z/pI^Z), and the QFT over G can be writ- 
ten as the tensor product of QFTs F^^p''i j^®---® ^iipk-^- 

The Fourier transform Fq is useful for exploiting symmetry 
with respect to G. Consider the operator that adds s E G, 
defined by Ps\x) = \x + s) for any x e G. This operator is di- 
agonal in the Fourier basis: we have 



VGG 



(11) 



Thus, measurements in the Fourier basis produce the same 
statistics for a pure state |(|)) and its shift Ps|(|)). Equivalently, 
a G-invariant mixed state is diagonalized by Fq- 



B. Efficient quantum circuit for the QFT over Z/2"Z 

To use the Fourier transform over G as part of an efficient 
quantum computation, we must implement it (approximately) 
by a quantum circuit of size poly (log |G|). This can indeed be 
done for any finite Abelian group (Barenco et ai, 1996; Cleve, 
1994; Coppersmith, 1994; Hales and Hallgren, 2000; Kitaev, 
1995; Shor, 1997). In this section we explain a construction 
for the case of the group Z/2"Z, following the presentation of 
Cleve etal. (1998). 

Transforming from the basis of states { \x) : x e G} to the 
basis { |\|/) : \|/ G G}, the matrix representation of the Fourier 
transformation over Z/NZ is 



/I 


1 


1 


1 






1 







Vl 0)2^-2 



(0 



2N-2 



CO 



CO 



(12) 



More succinctly. 



Fz/NZ — 



V x,y£Z/NZ 



(13) 



where \y) represents the basis state corresponding to the char- 
acter \\ty with \|/y(x) = CO'^. It is straightforward to ver- 
ify that Fx/Nz is indeed a unitary transformation, i.e., that 



'z/NZ - F^/m-^z/NZ 



1. 



Assume now that = 2", and let us represent the integer 
X e Z/NZ by n bits xo,xi , . . . ,x„_i where x = L"=o ^^^j- The 
Fourier transform of |x) can then be written as the tensor prod- 
uct of n qubits, since 

Fz/2"z\x) = ^ C02„ ' \yo,...,yn-i) (14) 

v2 vGlO.I}" 



yG{0,I}" 

H-1 



1(g) £ ^^^^./2-^\y^) 
j=Oyje{OA} 

"^|0)+e2-i:Ei2^'^*-%|i) 



n-l 



V2 



(15) 
(16) 
(17) 



Now, because exp(27ti2*Xi.) ~ 1 for all integers i > 0, we see 
that the jth output qubit is 

1^.) = 1 (|0) +e2™(2^'""-0+2^"+'-"-.+-+2-'v-,-l-;)|l)), (Ig) 

v2 

and hence only depends on the « — j input bits xq, . . . ,x„_i_y. 
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To describe a quantum circuit that implements the Fourier 
transform, we define the single-qubit phase rotation 



R, 





g27ci/2'' 



(19) 



and the two-qubit controlled rotation 



A{R,) 



/I 

10 

1 

yO e^'^i/^'' 




[Rr 



(20) 



acting symmetrically on a and b G {0,1} as A{Rr)\a, 



\a,b). The circuit shown in Figure 1 uses (T) of these 



gates together with « Hadamard gates to exactly implement 
the quantum Fourier transform over Z/2"Z. 

In this circuit, there are many rotations by small angles that 
do not significantly affect the final result. By simply omit- 
ting the gates A{Rr) with r — i2(log«), we obtain a circuit of 
size 0{n\ogn) (instead of 0{n^) for the original circuit) that 
implements the QFT with precision 1 / poly(«) (Coppersmith, 
1994). 



C. Phase estimation and the QFT over any finite Abelian group 

Aside from being directly applicable to quantum algo- 
rithms, such as Shor's algorithm, the QFT over Z/2"Z pro- 
vides a useful quantum computing primitive called phase es- 
timation (Cleve et al., 1998; Kjtaev, 1995). In the phase es- 
timation problem, we are given a unitary operator U (either 
as an explicit circuit, or as a black box that lets us apply a 
controlled-f/'^ operation for integer values of x). We are also 
given a state |(|)) that is promised to be an eigenvector of U, 
namely t/|(|)) = e"l'|(|)) for some (|) e R. The goal is to output 
an estimate of (|) to some desired precision. (Of course, we can 
also apply the procedure to a general state |v(/) ; by linearity, we 
obtain each value (|) with probability | ((|)|\|/) p.) 

The procedure for phase estimation is straightforward: 



Algorithm 1 (Phase estimation). 

Input: Eigenstate |(|)) (with eigenvalue e"^ 

operator U. 

Problem: Produce an n-bit estimate of 



of a given unitary 



1. Prepare the quantum computer in the state 
1 



■ .vgZ/2"Z 

2. Apply the unitary operator 

E lx)(x|®t/^ 

.vgZ/2''Z 

giving the state 

-L £ e'^-'^lx)®!^). 



(21) 



(22) 



(23) 



3. Apply an inverse Fourier transform on the first register, 
giving 



1 

2" 



CO 



b)®l^>- 



(24) 



4. Measure the first register of the resulting state in the 
computational basis. 

If the binary expansion of (|)/27t terminates after at most n 
bits, then the result is guaranteed to be the binary expansion 
of (|)/27t. In general, we obtain a good approximation with 
high probability (Cleve ef a/., 1998). (The relevant calcula- 
tion appears in Section IV.D for the case where (|) G Q; that 
same calculation works for any (|) e R.) The optimal way of 
estimating the unknown phase is analyzed in (van Dam et al., 
2007), but the above method is sufficient for our purposes. 

The complexity of Algorithm 1 can depend on the form 
of the unitary operator U. If we are only given a black box 
for the controlled-f/ gate, then there may be no better way 
to implement the controlled-C/^ operation than by perform- 
ing a controlled-t/ gate x times, so that the running time is 
0(2") (i.e., approximately the inverse of the desired preci- 
sion). On the other hand, if it is possible to implement Eq. (22) 
in poly(«) time — say, using repeated squaring — then phase 
estimation can be performed in poly(n) time. 

One useful application of phase estimation is to implement 
the QFT Eq. (13) over an arbitrary cyclic group Z/A^Z (Kitaev, 
1995). The circuit presented in the previous section only 
works when is a power of two (or, with a slight generaliza- 
tion, a power of some other fixed integer). But the following 
simple technique can be used to realize F^jf^^ (approximately) 
using phase estimation. (While this approach is conceptually 
simple, it is possible to implement the QFT over a cyclic group 
more efficiently; see Hales and Hallgren (2000).) 

We would like to perform the transformation that maps 
|x) I— > \x), where \x) :~ Fx/nz\x) denotes a Fourier basis state. 
By linearity, if the transformation acts correctly on a basis, it 
acts correctly on all states. It is straightforward to perform 
the transformation \x,Q) i-^ \x,x) (create a uniform superposi- 
tion Lyez/A'Z \y) /Vn in the second register and apply the con- 



trolled phase shift \x,y) i-^ co'^ l^jy)), but it remains to erase 
the first register 

Consider the unitary operator Pi that adds 1 modulo A^, i.e., 
Pi|x) = |jc+ 1) for any x € Z/NZ. According to Eq. (11), 
the eigenstates of this operator are precisely the Fourier ba- 
sis states \x), with eigenvalues CO^. Thus, using phase esti- 
mation on Pi (with n = 0{logN) bits of precision), we can 
approximate the transformation |i,0) i-^ \x,x). Reversing this 
operation, we can erase |x), giving the desired QFT. Note that 
we can perform Pj in poly(logA^) steps even when x is expo- 
nentially large in logA^, so the resulting procedure is indeed 
efficient. 

Given the Fourier transform over TLj'NTL, it is straightfor- 
ward to implement the QFT over an arbitrary finite Abelian 
group using the decomposition of the group into cyclic fac- 
tors, as discussed at the end of Section III. A. 



Vn-1) ■ 







































H 




H 


-(Rt)-(R3) {Rn-l)-(Rn)- 



FIG. 1 An efficient (size 0{i'P')) quantum circuit for tlie quantum Fourier transform over 
ZO, • • • ,Zn-i is reversed, as compared witfi tfie order of the n input bits xq, . . . ,x„_i. 




\Z2) 



Note that the order of the n output bits 



If gates can be performed in parallel, it is possible to per- 
form the QFT much more quickly, using only (9(loglogA^) 
time steps (Cleve and Watrous, 2000; Hales, 2002). 

D. The QFT over a finite field 

The elements of the finite field ¥g, where q ~ p'" is a power 
of a prime number p, form an Abelian group under addition 
(see Appendix A), and the QFT over this group has many ap- 
plications. If q is prime, then = Z/^Z, so the QFT over 
F^y is straightforward. More generally, as an additive group, 
¥c/ = {Ij/plj)'", so in principle, the QFT over F^y could be de- 
fined using an explicit isomorphism to [Jj/pl)'" . However, it 
is often more convenient to define F^^ in terms of the (abso- 
lute) trace, the linear function Tr : F^^ ¥p defined by 

Tr(x) : = X + x" + x"' + ■■■+ x"""' . (25) 
One can show that the functions : F^ ^ C defined by 

v>.(x)-co;;'(-^^' (26) 

for each y S form a complete set of additive characters of 
F^. Thus, the QFT over F^y can be written 

L «^'^''b)(x|. (27) 

This definition is preferred over other possible choices be- 
cause it commutes with the permutation |z) i-* \z^) implement- 
ing the Frobenius automorphism, and hence respects the mul- 
tiplicative structure of F^. 

IV. ABELIAN HIDDEN SUBGROUP PROBLEM 

A. Period finding over Z/A'Z 

Suppose we are given a function over the integers 
0, 1 , . . . , — 1 that is periodic with period r. Further, suppose 
that this function never takes the same value twice within the 
fundamental period (i.e., it is injective within each period). In 
other words, the function / : X/NX S satisfies 

f(x) = fiy) if and only if e Z (28) 



for all x,y e Z/NZ. Notice that this can only be the case if r 
divides A^, so that / can have exactly A^/r periods. 

If we know A^, then we can find the period r efficiently using 
the quantum Fourier transform over the additive group Z/NZ. 
We represent each element x E Z/NZ uniquely as an integer 
X £ {0, . . . ,A^ — 1}. Similarly, the irreducible representations 
\\f : Z/NZ C can be labeled by integers y e {0, . . . ,A^ - 1}, 
namely with ^y{x) = e^""^'/'^ xhe following algorithm solves 
the period finding problem. 

Algorithm 2 (Period finding over Z/NZ). 

Input: A black box f : Z/NZ S satisfying Eq. (28) for some 

unknown r G Z/NZ, where r divides N. 

Problem: Determine r. 

1. Create the uniform superposition 

\Z/NZ) = ^ ^ \x) (29) 
V A* xel/NZ 

of all elements of Z/NZ (recall the notation Eq. (3)). 
For example, this can be done by applying the Fourier 
transform over Z/NZ to the state |0). 

2. Query the function f in an ancilla register, giving 

^ \x,f{x)). (30) 

3. At this point, if we were to measure the ancilla register, 
the first register would be left in a superposition of those 
X € Z/NZ consistent with the observed function value. 
By the periodicity of f, this state would be of the form 

\hrj L + » (31) 

for some unknown offset s e {0, . . . ,r — 1} occurring 
uniformly at random, corresponding to the uniformly 
random observed function value f{s). Since we will 
not use this function value, there is no need to explic- 
itly measure the ancilla; ignoring the second register 
results in the same statistical description. Thus, we 
may simply discard the ancilla, giving a mixed quan- 
tum state, or equivalently, a random pure state. 
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4. Apply the Fourier transform over Z/A^Z, giving 

Jl (32) 

* ^ vgz/wz i=o 
By the identity 

M-l 

(^M^M J mod M (33) 

;=o 

(applied with M = N/r, so (oj/ = CD^j, only the values 
y € {0,N/r,2N/r, . . . , (r— l)N/r} experience construc- 
tive interference, and Eq. (32) equals 

-L'Y.^f\kN/r). (34) 

V A=0 

5. Measure this state in the computational basis, giving 
some integer multiple kN / r ofN/r. Dividing this inte- 
ger by N gives the fraction k/r, which, when reduced to 
lowest terms, has r j gcd(r,^) as its denominator. 

6. Repeating the above gives a second denominator 
r/ gcd{r,k'). If k and k' are relatively prime, the 
least common multiple of r/ gcd{r,k) and r/ gcd{r,k') 
is r. The probability of this happening is at least 
Ylpprimei^ — = 6/%^ « 0.61, SO the algorithm suc- 
ceeds with constant probability. 



B. Computing discrete logarithms 

Let C = (g) be a cyclic group generated by an element g, 
with the group operation written multiplicatively. Given an 
element x G C, the discrete logarithm ofx in C with respect to 
g, denoted log^,x, is the smallest non-negative integer £ such 
that g^' = X. The discrete logarithm problem is the problem 
of calculating log^,x given g and x. (Notice that for additive 
groups such as G = 1/p1, the discrete log represents division: 
\oggX — x/g mod p.) 

1 . Discrete logarithms and cryptography 

Classically, the discrete logarithm seems like a good candi- 
date for a one-way function. We can efficiently compute g'^, 
even if £ is exponentially large (in log |C|), by repeated squar- 
ing. But given x, it is not immediately clear how to compute 
\oggX without checking exponentially many possibilities. 

The apparent hardness of the discrete logarithm problem 
is the basis of the Dijfie-Hellman key exchange protocol 
(Diffie and Hellman, 1976), the earliest published public-key 
cryptographic protocol. The goal of key exchange is for two 
distant parties, Alice and Bob, to agree on a secret key using 
only an insecure public channel. The Diffie-Hellman protocol 
works as follows: 



1. Alice and Bob publicly agree on a large prime p and 
an integer g of high order For simplicity, suppose they 
choose a g for which (g) = (Z/pZ)^ (i.e., a primitive 
root modulo p). (In general, finding such a g might be 
hard, but it can be done efficiently given certain restric- 
tions on p.) 

2a. Alice chooses some a G Z/(/9 — 1)Z uniformly at ran- 
dom. She computes A:= g" mod p and sends the result 
to Bob (keeping a secret). 

2b. Bob chooses some b e Z/(/9 — 1)Z uniformly at ran- 
dom. He computes B -.^ g'' mod p and sends the result 
to Alice (keeping b secret). 

3a. Alice computes K := B" = g"^ mod p. 

3b. Bob computes K =A'' = g"'' mod p. 

At the end of the protocol, Alice and Bob share a key K, and 
an eavesdropper Eve has only seen p, g. A, and B. 

The security of the Diffie-Hellman protocol relies on the 
assumption that discrete log is hard. Clearly, if Eve can 
compute discrete logarithms, she can recover a and b, and 
hence the key. But it is widely believed that the discrete 
logarithm problem is difficult for classical computers. The 
best known algorithms for general groups, such as Pollard's 
rho algorithm and the baby-step giant-step algorithm, run in 
time (9(-\/]cf). For particular groups, it may be possible 
to do better: for example, over (Z/pZ)^ with p prime, the 
number field sieve is conjectured to compute discrete loga- 
rithms in time 20((i°gP)'^'(i°gi°gP)'^') (Gordon, 1993) (whereas 
the best known rigorously analyzed algorithms run in time 
20(v/iogpiogiogp) (Pomerance, 1987)); but this is still super- 
polynomial in log p. It is suspected that breaking the Diffie- 
Hellman protocol is essentially as hard as computing the dis- 
crete logarithm.* 

This protocol by itself only provides a means of exchanging 
a secret key, not of sending private messages. However, Alice 
and Bob can subsequently use their shared key in a symmetric 
encryption protocol to communicate securely. The ideas be- 
hind the Diffie-Hellman protocol can also be used to directly 
create public-key cryptosystems (similar in spirit to the widely 
used RSA cryptosystem), such as the ElGamal protocol; see 
for example (Buchmann, 2004; Menezes et al, 1996). 



2. Shor's algorithm for discrete log 

Although the problem appears to be difficult for classical 
computers, quantum computers can calculate discrete loga- 
rithms efficiently. Recall that we are given some element x of 
a cyclic group C = (g) and we would like to calculate log^x, 
the smallest non-negative integer i such that ^' ~ x. 



^ It is nevertheless an open question whetlier, given the ability to break the 
protocol. Eve can calculate discrete logarithms. Some partial results on this 
question are known (den Boer, 1990; Maurer and Wolf, 1999). 
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For simplicity, assume that the order of the group, := |C|, 
is known. For example, if C = (Z//7Z)^, then we know 
N = p — I. If we do not know A^, we can determine it ef- 
ficiently using Shor's algorithm for period finding over Z, 
which we discuss in Section IV.D. We also assume that g 
(i.e., iog^x 7^ 1), since it is easy to check this. 

The algorithm of Shor (1997) for computing discrete loga- 
rithms works as follows: 

Algorithm 3 (Discrete logarithm). 

Input; A cyclic group C ~ (g) and an element x G C. 

Problem: Calculate log^,x. 

1. If necessary, using the period finding algorithm of Sec- 
tion IV.D, determine the order N = \C\. 

2. Create the uniform superposition 

iZ/raxZ/ra) = ^ £ |a,p) (35) 

over all elements of the additive Abelian group Z/A^Z x 

3. Define a function f : "Z/NIj x "Z/NIj C as follows: 

/(a,p)=..V- (36) 
Compute this function in an ancilla register, giving 

i £ |a,p,/(a,p)). (37) 

4. Discard the ancilla register.^ Since /(a, p) = g"'°gs"+P, 
/ is constant on the lines 

Ly ~ {(a,p) e {Z/NZf : alog,,x + p y}, (38) 

so the remaining state is a uniform superposition over 
group elements consistent with a uniformly random, un- 
known y G Z/A^Z, namely 

1^) = ^ L |a,y-«logj,x). (39) 

5. Now we can exploit the symmetry of the quantum state 
by performing a QFT over'LjN'L x 'LjN'L, giving 

TT372 L M (40) 

= (o]7|vlog^,x,v) (41) 

V A/ -^^iim 

where we used the identity Eq. ( 33 ). 



' Note that if we were to measure the ancilla register instead of discarding 
it, the outcome would be unhelpful: each possible value g'' occurs with 
equal probability, and we cannot obtain y from unless we know how to 
compute discrete logarithms. 



6. Measure this state in the computational basis. We 
obtain some pair (vlog^XjV) /or a uniformly random 
V G Z/NZ. 

7. Repeating the above gives a second pair (v'log^,x,v') 
with a uniformly random v' G Z/NZ, independent ofv. 
With constant probability (at least ~ 0.61), V and 
v' are coprime, in which case we can find integers X 
and X' such that Xv + X'v' = 1. Thus we can determine 
Xv loggX + X'v' logg X = logg X. 

This algorithm can be carried out for any cyclic group C, 
given a unique representation of its elements and the ability to 
efficiently compute products and inverses in C. To efficiently 
compute /(a, p), we must compute high powers of a group 
element, which can be done quickly by repeated squaring. 

In particular, Shor's algorithm for discrete log breaks the 
Diffie-Hellman key exchange protocol described above, in 
which C — (Z/pZ) ^ . In Section IV.F we discuss further appli- 
cations to cryptography, in which C is the group correspond- 
ing to an elliptic curve. 

C. Hidden subgroup problem for finite Abelian groups 

Algorithms 2 and 3 solve particular instances of a more 
general problem, the Abelian hidden subgroup problem (or 
Abelian HSP). We now describe this problem and show how 
it can be solved efficiently on a quantum computer 

Let G be a finite Abelian group with group operations writ- 
ten additively, and consider a function f : G S, where S is 
some finite set. We say that / hides the subgroup H <G '\f 

/(x) =7(3;) if and only if X -ye// (42) 

for all x,y G G. In the Abelian hidden subgroup problem, we 
are asked to find a generating set for H given the ability to 
query the function /. 

It is clear that H can in principle be reconstructed from the 
entire truth table of /. Notice in particular that /(O) = f{x) 
if and only if x G H: the hiding function is constant on the 
hidden subgroup, and does not take that value anywhere else. 
Furthermore, fixing any y G G, we see that f{y) — f{x) if and 
only \f X G y + H := {y + h : h G //}, a coset of // in G with 
coset representative y. So / is constant on the cosets of H in 
G, and distinct on different cosets. 

The simplest example of the Abelian hidden subgroup 
problem is Simon's problem, in which G = (Z/2Z)" and 
H ^ {0,x} for some unknown x G (Z/2Z)". Simon's effi- 
cient quantum algorithm for this problem (Simon, 1997) led 
the way to Shor's algorithms for other instances of the Abelian 
HSP. 

The period finding problem discussed in Section IV.A is the 
Abelian HSP with G = Z/NZ. The subgroups of G are of the 
form H = {0, r,2r, . . . ,N — r} (of order |//| ^N/r), where r is 
a divisor of A^. Thus a function hides H according to Eq. (42) 
precisely when it is r-periodic, as in Eq. (28). We have already 
seen that such a subgroup can be found efficiently. 

The quantum algorithm for discrete log, as discussed in 
Section IV. B, solves an Abelian hidden subgroup problem in 
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the group l/NI x l/NI. The function defined in Eq. (36) 
hides the subgroup 



H = {(a,alog x) : a e Z/A^Z}. 



(43) 



Shor's algorithm computes log^,x by finding this hidden sub- 
group. 

More generally, there is an efficient quantum algorithm to 
identify any hidden subgroup // < G of a known finite Abelian 
group G. (In Section Vll.C we relax the commutativity re- 
striction to the requirement that // is a normal subgroup of G, 
which is always the case if G is Abelian.) The algorithm for 
the general Abelian hidden subgroup problem is as follows: 

Algorithm 4 (Abelian hidden subgroup problem). 

Input: A black-box function f : G ^ S hiding some H <G. 

Problem: Find a generating set for H. 

1. Create a uniform superposition \G) over the elements 
of the group. 

2. Query the function f in an ancilla register, giving the 
state 



1 



^\ xeG 



3. Discard the ancilla register, giving the coset state 
1 



s + H) 



(44) 



(45) 



I yeH 



for some unknown, uniformly random s € G. Equiva- 
lently, the state can be described by the density matrix 



9h.= t^^Y.\^s + H){s + H\ 



(46) 



.sGG 



4. Apply the QFT over G to this state. According to the 
definition of the QFT in Eq. (9), the result is 



1 



where 



V|/GG 



1 



1^ I VG// 



(47) 
(48) 

(49) 



If'^{y) = 1 for all y e H, then clearly \\t{H) = 1. On 
the other hand, if there is any y £ H with \\f{y) 7^ 1 f i.e., 
if the restriction of\\ftoH is not the trivial character 
of H), then by the orthogonality of distinct irreducible 
characters (Theorem 6 in Appendix B), — 0- Thus 

we have the state 



H) 




¥(*)l¥) 



(50) 



or, equivalently, the mixed quantum state 

' ' VGG,Resgy=l 



(51) 



yGG,Res5jV|/=l 



where Res^ \(/ = 1 means that \\t{h) — 1 for all h G H. 

5. Measure in the computational basis. Then we obtain 
one of the \G\/\H\ characters \|/ G G that is trivial 
on the hidden subgroup H, with every such charac- 
ter occurring with equal probability \H\/\G\. Letting 
ker\|/ :^ {g E G : V|/(^) = 1} denote the kernel of the 
character \\f (which is a subgroup of G), we learn that 
H < ker\|/. 

6. Repeat the entire process T times, obtaining characters 

, . . . ,\\fj, and output a generating set for Kj, where 
Kt := r\'j=i kerij/y. We are guaranteed that H < K, for 
any t. A simple calculation shows that if Kf ^ H, then 
\Kt^l\/\Kt \ < 1/2 with probability at least 1/2. Thus, 
we can choose T — (9(log |G|) such that Kj = H with 
high probability. 

In summary, given a black-box function / hiding a sub- 
group // of a known finite Abelian group G, a quantum com- 
puter can determine H in time poly (log |G| ), and in particular, 
using only poly(log |G|) queries to the function /. Of course, 
this assumes that we can efficiently implement group opera- 
tions in G using some unique representation of its elements. 

In contrast, the Abelian hidden subgroup problem is typi- 
cally hard for classical computers. For example, an argument 
based on the birthday problem shows that even the simple 
case of Simon's problem (where G = (Z/2Z)") has classical 
query complexity i2(\/2") (Simon, 1997). While certain spe- 
cial cases are easy — for example, since the only subgroups 
of Z/pZ with p prime are itself and the trivial subgroup, pe- 
riod finding over Z/pZ is trivial — the classical query com- 
plexity of the Abelian HSP is usually exponential. In partic- 
ular, one can show that if G has a set of subgroups with 
trivial pairwise intersection, then the classical query complex- 
ity of the HSP in G is Q.{-\/N). (For a proof in the case where 
G = ¥^x ¥q, see de Beaudrap et al. (2002).) 



D. Period finding over Z 

In the previous section, we saw that the Abelian HSP can 
be solved efficiently over any known finite Abelian group. 
In this section we consider the HSP over an infinite Abelian 
group, namely Z (Shor, 1997). Similar ideas can be used 
to solve the HSP over any finitely generated Abelian group 
(Mosca and Ekert, 1999). (For an Abelian group that is not 
finitely generated, new ideas are required, as we discuss in 
Section V.D.) 

The HSP in Z is of interest when we are faced with a pe- 
riodic function / over an unknown domain. For example, 
Shor's factoring algorithm (Section IV.E) works by finding the 
period of a function defined over Z. Without knowing the fac- 
torization, it is unclear how to choose a finite domain whose 
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FIG. 2 Sampling a Z-periodic function over Z/ZYZ. 



size is a multiple of the unknown period, so we cannot imme- 
diately apply the period finding algorithm from Section IV.A. 

Of course, we cannot represent arbitrary integers on a com- 
puter with finitely many bits. Instead, we can restrict the func- 
tion to the inputs {0, 1 , . . . , — 1 } for some chosen and per- 
form Fourier sampling over "L/NT,. This can work even when 
the function is not precisely periodic over Z /A^Z, provided 
is sufficiently large. To simplify the implementation of the 
QFT, we can choose A^ = 2" to be a power of 2. 

This approach can only work if the period is sufficiently 
small, since otherwise we could miss the period entirely. We 
will see how to choose A^ if given an a priori upper bound 
on the period. If we do not initially have such a bound, we 
can simply start with N = 2 and repeatedly double A^ until the 
period finding algorithm succeeds. The overhead incurred by 
this procedure is only poly (log r). 

Algorithm 5 (Period finding over Z). 

Input: A black box f : Z/NZ S satisfying Eq. (28) for some 
r e Z with < N, where r does not necessarily divide N. 
Problem: Determine r. 

1. Prepare the uniform superposition [L/NIj). 

2. Query the function in an ancilla register, giving 



V-^ x&LjNT. 



(52) 



Apply the Fourier transform over Z/A^Z, giving 
1 



(55) 



k€Z/NZ 



If we were lucky enough to choose a value of N for 
which r\N, then n = N/r regardless of the value of xq, 
and the sum over j gives n?)k mod n.o by Eq. ( 33), so this 
state is identical to Eq. (34). But more generally, the 
sum over j in Eq. (55) is the geometric series 



n-I 



CO 



CO 



1 



CO' 



CO 



(;7-l)A-r/2 



sin(^) 
sin(^) 



(56) 



5. Measure in the computational basis. The probability of 
seeing a particular value k is 



Pi{k) 



sm 



2 / nkrn \ 



nA?sin2(5^ 



(57) 



From the case where n ^ N / r, we expect this distribu- 
tion to be strongly peaked around values of k that are 
close to integer multiples of N jr. The probability of 
seeing k ~ [yW/r] = jN / r + t for some j e Z, where 
[x] denotes the nearest integer to x, is 



Sin2(7tj« + 25|ii) 

nNW{Kj + ^) 
sin^( 



N I 



nNsm^{- 



(58) 
(59) 



Using the inequalities 4x^/k'^ < sin^x < x^ (where the 
lower bound holds for \x\ < 7t/2, and can be applied 
since |e| < l/2j, we find 



3. Discard the ancilla register, leaving the first register in 
a uniform superposition over those x G Z /A^Z consistent 
with some particular function value. Since f is periodic 
with minimum period r, we obtain a superposition over 
points separated by r. The number of such points, n, 
depends on where the first point, xq G {0, 1 , . . . , r — 1 }, 
appears. When restricted to Z/NZ, the function has 
[N/r\ full periods and N ~ r [N/r\ remaining points, 
as depicted in Figure 2. Thus 



^^Ma^AJ+I xo<N-r[N/r\ ^^^^ 
I [N/r\ otherwise. 



In other words, we are left with the quantum state 
1 



-r E 1^0 + » 



(54) 



where xq occurs nearly uniformly at random (specifi- 
cally, it appears with probability n/N) and is unknown. 



Pr(^=L;WAl)>^. 



(60) 



This bound shows that Fourier sampling produces a 
value ofk that is the closest integer to one of the r inte- 
ger multiples ofN/r with probability ^(1). 

6. To discover r given one of the values \_jN / r'\, divide by 
N to obtain a rational approximation to j/r that devi- 
ates by at most 1 /2A^, and compute the positive integers 
fl, in the continued fraction expansion ( CFE) 



N 



1 



(61) 



ai 



fl3 



This expansion gives a sequence of successively bet- 
ter approximations to \_jN / r'\ /N by fractions, called 
the convergents of the CFE. By (Hardy and Wright, 
1979, Theorem 184), any fraction p/q with \p/q — 
IjN/r'] /N\ < \/2q^ will appear as one of the con- 
vergents. Since j/r differs by at most 1/2N from 
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[yW/r] /N, the fraction j / r will appear as a convergent 
provided r^ < A^. Thus, we carry out the CFE until we 
obtain the closest convergent to [yW/r] /N whose de- 
nominator is smaller than our a priori upper bound on 
the period; this denominator must equal r. These calcu- 
lations can be done in polynomial time using standard 
techniques; see for example (Hardy and Wright, 1979, 
Chapter X). 

Notice that period finding can efficiently determine the or- 
der of ?l given group element g GG, the smallest r £ {1,2,...} 
such that g'' = 1. This follows because the function f G 
defined by f{j) ~ gj is periodic, with period equal to the or- 
der of g in G. In particular, this allows us to find the order 
of a cyclic group C = (g), as needed in Algorithm 3. In con- 
trast, the classical query complexity of computing the order of 
a permutation of 2" elements is 0(2"/^^") (Cleve, 2004). 

E. Factoring integers 

Perhaps the best-known application of quantum comput- 
ers is to the problem of factoring integers (Shor, 1997). At 
present, the mostly widely used public-key cryptosystem, 
RSA (Rivest ef a/., 1978), is based on the presumed diffi- 
culty of this problem.** The fastest rigorously analyzed clas- 
sical algorithm for factoring an integer has running time 
20(v/iogA'iogiogA') (ggg fQj. example Pomerance (1987)), and the 
best known classical algorithm is believed to be the number 
field sieve (Buhler et ai, 1993), which is conjectured to run in 
time 20((i°g^)''''(i°gi°g^)'^'). Both of these running times are 
superpolynomial in logA^. In contrast, a quantum computer 
can factor in time 0{\og^N). Thus, the development of a 
large-scale quantum computer could have dramatic implica- 
tions for the practice of cryptography. 

We have already discussed the core of Shor's quantum fac- 
toring algorithm, the ability to perform period finding over the 
integers. It remains to see how factoring can be reduced to a 
particular instance of period finding. 

To efficiently factor a given integer A^, it suffices to effi- 
ciently produce some nontrivial factor of A^ (i.e., a factor other 
than 1 or A^) with constant probability. The repeated use of 
such a subroutine, combined with an efficient primality testing 
algorithm (Agrawal ef aZ., 2004; Miller, 1976; Rabin, 1980), 
can be used to find all the prime factors of A^. It is easy to 
check whether 2 divides A^, so we can focus on the case of A^ 
odd without loss of generality. Furthermore, it is straightfor- 
ward to check whether A^ is a prime power, or indeed whether 
it is the ^th power of any integer, simply by computing \/N 
for k = 2,3,... ,log2A^, so we can assume that A^ has at least 
two distinct prime factors. 



The RSA protocol uses similar ideas to the Diffie-Hellman protocol (Sec- 
tion IV.B), but relies on a different assumption and achieves secure com- 
munication instead of key exchange. Note that breaking RSA might be 
easier than factoring. For elementary discussions of the details of RSA and 
related protocols, see (Buchmann, 2004; Menezes et at, 1996). 



The reduction from finding some nontrivial factor of an odd 
A^ to order finding in the multiplicative group (Z/A^Z) ^ is due 
to Miller (1976). Suppose we choose a € {2,3, ... ,A^ - 1} 
uniformly at random from those values that are coprime to A^. 
Furthermore, assume for now that the order r of a is even. 
Then since a'' = 1 mod A^, we have {a''^^)^ — 1=0 mod A^, or 
equivalently, 

(fl''/2-l)(fl'"/2+l) = 0modA^. (62) 

Since A^ divides the product (a'"/^ — l)(fl''/^ + !)> we might 
hope for gcd(a'^/^ — 1,A^) to be a nontrivial factor of A^. No- 
tice that gcd(a''/^ — 1,A^) N, since if it were, the order 
of a would be at most r/2. Thus it suffices to ensure that 
gcd(a'"/2 - 1,A^) 7^ 1, which holds if a'/^ ^ -1 modA^. In 
Lemma 2 below, we show that a random value of a satisfies 
these properties with probability at least 1 /2, provided A^ has 
at least two distinct prime factors. Thus the following quan- 
tum algorithm can be used to factor A^: 

Algorithm 6 (Integer factorization). 

Input; An odd integer N with at least two distinct prime fac- 
tors. 

Problem: Determine some nontrivial factor ofN. 

1. Choose a random a G {2,3, ... ,A^ — 1}. 

2. Compute gcd{a,N) using the Euclidean algorithm. If 
the result is different from 1, then it is a nontrivial factor 
ofN, and we are done. More likely, gcd{a,N) = 1, and 
we continue. 

3. Using Algorithm 5, determine the order of a modulo N. 
If r is odd, the algorithm has failed, and we return to 
step 1. If r is even, we continue. 

4. Compute gcd(fl''/^ — ^,N)- If the result is different from 
1, then it is a nontrivial factor ofN. Otherwise, return 
to step 1. 

Lemma 2. Suppose a is chosen uniformly at random from 
{'L/N'L)^ , where N is an odd integer with at least two distinct 
prime factors. Then with probability at least 1 /2, the multi- 
plicative order r of a modulo N is even, and a' 7^ ^ 1 mod A^. 

Proof. Suppose A^ = p'"' ■ ■ ■ p'^'' is the factorization of A^ into 
powers of ^ > 2 distinct odd primes. By the Chinese remain- 
der theorem, there are unique values a, e Z/p"''Z such that 
a = ai mod p"'' . Let r, be the multiplicative order of a, mod- 
ulo p™' , and let 2'' be the largest power of 2 that divides r, . We 
claim that if r is odd or if a''!^ = — 1 mod A^, then ci = • • • = 
Since r = lcm(ri , . . . , rk), we have ci = ■ ■ ■ = Ck = when r 
is odd. On the other hand, if r is even and a''^^ = — 1 mod A^, 
then for each / we have a''^^ = — 1 mod p'"', so r, does not di- 
vide r/2; but we know that r/rj is an integer, so it must be odd, 
which implies that each r,- has the same number of powers of 
2 in its prime factorization. 

Now we claim that the probability of any given c,- taking 
on any particular value is at most 1 /2, which implies that 
Pr(ci = C2) < 1 /2, and the desired conclusion follows. To see 
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this, consider a chosen uniformly at random from (Z /NZ) ^ — 
or equivalently, each a, chosen uniformly at random from 
{Z/pf'Z)^ . The order of the latter group is cp(/?'"') = (pi — 
l)p'"' = 2'''qi for some positive integer di and some odd in- 
teger qi. The number of a,- e (Z/p™'Z)^ of odd order is qi, 
and the number of fl,'s with any particular c; e {1, . . . ,di} is 
l^'^^q,. In particular, the highest-probability event is c, = di, 
which happens with probability only 1/2. □ 

F. Breaking elliptic curve cryptography 

As discussed in Section IV.B, Shor's algorithm allows 
quantum computers to break cryptographic protocols based 
on the presumed hardness of the discrete logarithm problem 
in (Z/A^Z)^, such as the Diffie-Hellman key exchange proto- 
col. However, Shor's algorithm works equally well for calcu- 
lating discrete logarithms in any finite group, provided only 
that group elements can be represented uniquely and operated 
on efficiently. In particular, quantum computers can also ef- 
ficiently calculate discrete logarithms over the group corre- 
sponding to an elliptic curve, thereby breaking elliptic curve 
cryptography. 

An elliptic curve is a cubic, nonsingular, planar curve over 
some field. (The terminology "elliptic curve" has to do with 
a connection to elliptic functions.) For simplicity, suppose we 
choose a field with characteristic not equal to 2 or 3. (Crypto- 
graphic applications often use the field F2'i of characteristic 2, 
but the definition of an elliptic curve is slightly more compli- 
cated in this case.) Then, by suitable linear transformations, 
any elliptic curve can be rewritten in the form of the Weier- 
strafi equation, 

^x^ +ax + b, (63) 

where a,b are parameters. The set of points {x,y) satisfying 
this equation form an elliptic curve. To be nonsingular, the 
discriminant A := — 16(4fl-' + 21b'^) must be nonzero. Typi- 
cally, one considers elliptic curves in the projective plane 
rather than the affine plane, which means that one point at in- 
finity must be included in the set of solutions. (For further 
details on the concepts of projective curves, points at infinity, 
and nonsingularity, see Appendix C.) 

An example of an elliptic curve over the field K. (namely, 
the curve y^ = jc^ — x + 1) is shown in Figure 3. Although 
such pictures are helpful for developing intuition about ellip- 
tic curves, it is useful in cryptographic applications to have 
a curve whose points can be represented exactly with a finite 
number of bits, so we use curves over finite fields. For sim- 
plicity, we will only consider the field ¥p where p is a prime 
larger than 3. 

Example. Consider the curve 

£ = {(x,y)eF2:/=x3-x+l} (64) 

over Fy. It has 4a^ + 27b^ = 2 mod 7, so it is nonsingular It 
is straightforward to check that the points on this curve are 

£=={0,(0,1), (0,6), (1,1), (1,6), (2,0), 

(3,2), (3,5), (5,3), (5,4), (6,1), (6,6)}, 
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FIG. 3 The group law for an elliptic curve: P + Q= —R. The points 
P and Q sum to the point —R, where R is the intersection between 
the elliptic curve and the line through P and Q, and —R is obtained 
by the reflection of R about the x axis. 



where O denotes the point at infinity. 

In general, the number of points on an elliptic curve de- 
pends on the parameters a and b. However, a theorem of Hasse 
says that | jii | — (/9 + 1 ) | < 2^/p, so for large p the number of 
points is close to p. 

An elliptic curve can be used to define an Abelian group 
by designating one point of the curve as the additive iden- 
tity. Here, we use the common convention that O, the point 
at infinity, is this special element (although in principle, it is 
possible to let any point play this role). It remains to define a 
binary operation '+' that maps a pair of points on the curve to 
a new point on the curve in a way that satisfies the group ax- 
ioms. To motivate the definition, consider the case of the field 
R. Given two points P,Q E E, their sum P + Qis defined ge- 
ometrically, as follows. First, assume that neither point is 0. 
Draw a line through the points P and Q (or, if P = Q, draw the 
tangent to the curve at P), and let R denote the third point of 
intersection, defined to be if the line is vertical. Then P + Q 
is the reflection of R about the x axis, where the reflection of 
is O . If one of P or 2 is O, we draw a vertical line through 
the other point, so that P + = P as desired. Since is the 
additive identity, we define + = O . Reflection about the 
X axis corresponds to negation, so we can think of the rule as 
saying that the three points of intersection of a line with the 
curve sum to O, as depicted in Figure 3. 

It can be shown that (£,+) is an Abelian group, where 
the inverse of P = {x,y) is — P = {x,—y). From the geomet- 
ric definition, it is clear that this group is Abelian (the line 
through P and Q does not depend on which point is chosen 
first) and closed (we always choose P + Q to be some point 
on the curve). The only remaining group axiom to check is 
associativity; we must show that {P + Q) + T = P + {Q + T). 

To define the group operation for a general field, it is useful 
to have an algebraic description of elliptic curve point addi- 
tion. Let P — {xp,yp) and Q = {xQ,yQ). Provided xp ^ xq. 
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the slope of the line through P and Q is 

X^^^e^. (66) 

XQ-Xp 

Computing the intersection of this line with Eq. (63), we find 

xp+Q = A,' - xp - xq (67) 
yp+Q ^Hxp- xp+g) - yp. (68) 

If Xp = XQ, there are two possibilities for Q: either Q = 
ixQ^yo) = (xp,yp) =P or Q = {xQ,yQ) {xp,-yp) = P. 
lfQ= P, thenf + 2= O. On the other hand, ifP = g(i.e., 
if we are computing 2P), then Eqs. (67) and (68) hold with X 
replaced by the slope of the tangent to the curve at P, namely 

X='4^ (69) 
2yp 

(unless yp ~ 0, in which case the slope is infinite, so 2P = 0). 

While the geometric picture does not necessarily make 
sense for the case of a finite field, we can take its algebraic 
description as a definition of the group operation. It is again 
obvious that addition of points, defined by these algebraic ex- 
pressions, is commutative and closed. Associativity of the 
group operation can be verified by a direct calculation. This 
shows that {E, +) is indeed an Abelian group. 

Suppose we fix an elliptic curve group (£, +) and choose a 
point g G E. Then we can consider the subgroup (g), which is 
possibly the entire group if it happens to be cyclic. Using ex- 
ponentiation in this group (which is multiplication in our ad- 
ditive notation), we can define analogs of Diffie-Hellman key 
exchange and related cryptosystems such as ElGamal. The 
security of these cryptosystems then relies on the assumption 
that the discrete log problem on (g) is hard. 

In practice, there are many details to consider when 
choosing an elliptic curve group for cryptographic purposes 
(Buchmann, 2004; Menezes ef aZ., 1996). Algorithms are 
known for calculating discrete logarithms on "supersingular" 
and "anomolous" curves that run faster than algorithms for the 
general case, so such curves should be avoided. At the same 
time, g should be chosen to be a point of high order. Curves 
with the desired hardness properties can be found efficiently, 
and in the general case it is not known how to solve the dis- 
crete log problem over an elliptic curve group classically any 
faster than by general methods (see Section IV.B), which run 
in time 0{^). 

However, using Shor's algorithm, a quantum computer can 
solve the discrete log problem for an elliptic curve group over 
Fp in time poly(log p). Points on the curve can be represented 
uniqely by their coordinates, with a special symbol used to 
denote . Addition of points on the curve can be computed 
using Eqs. (67) and (68), which involve only elementary arith- 
metic operations in the field. The most complex of these oper- 
ations is the calculation of modular inverses, which can easily 
be done using Euclid's algorithm. For more details on the 
implementation of Shor's algorithm over elliptic curves, see 
(Cheung et al, 2008; Kaye, 2005; Proos and Zalka, 2003). 

Elliptic curve cryptosystems are commonly viewed as be- 
ing more secure than RSA for a given key size, since the best 



classical algorithms for factoring run faster than the best clas- 
sical algorithms for calculating discrete logarithms in elliptic 
curve groups. Thus in practice, much smaller key sizes are 
used in elliptic curve cryptography than in factoring-based 
cryptography. Ironically, Shor's algorithm takes a compara- 
ble number of steps for both factoring and discrete log,^ so 
it could actually be easier for quantum computers to break 
present-day elliptic curve cryptosystems than to break RSA. 

One can also define an Abelian group corresponding to a 
hyperelUptic curve, a curve of the form y^ = f{x) for some 
suitable polynomial / of degree higher than 3. These groups 
are also candidates for cryptographic applications (see for ex- 
ample (Koblitz, 1998, Chapter 6)). In general, such a group is 
referred to as the Jacobian of the curve; it is no longer isomor- 
phic to the curve itself in the non-elliptic case. The elements 
of a general Jacobian can be represented uniquely and added 
efficiently, so that Shor's algorithm can also efficiently com- 
pute discrete logarithms over the Jacobian of a hyperelliptic 
curve. 



G. Decomposing Abelian and solvable groups 

Recall from Section IV.D that Shor's period-finding algo- 
rithm can be used to compute the order of a cyclic group 
C — (g), given the ability to efficiently represent and multi- 
ply elements of the group. More generally, given a black-box 
representation of some group, it would be useful to have a way 
of identifying the structure of that group. For certain kinds of 
groups, such decompositions can be obtained efficiently by a 
quantum computer 

These algorithms operate in the framework of black-box 
groups (Babai and Szemeredi, 1984). In this framework, the 
elements of a group G are represented uniquely by strings of 
length poly(log|G|), and we are given a black box that can 
compute products or inverses in G as desired. Of course, any 
algorithm that works in the black-box setting also works when 
the group is represented explicitly, say as a matrix group or as 
some known group. Note that computing the order of G in the 
black-box group setting is hard even when G is promised to 
be Abelian (Babai and Szemeredi, 1984). 

Suppose we are given a generating set for a finite Abelian 
black-box group. Recall that by the fundamental theorem of 
finite Abelian groups, any such group can be decomposed as 
a direct product G = Z/pj'Z x • • • x "Ljp'^TL of cyclic sub- 
groups of prime power order. By combining the solution 
of the Abelian HSP with classical techniques from computa- 
tional group theory, there is an efficient quantum algorithm for 
determining the structure of the group (i.e., the values p^^'), and 
furthermore, for obtaining generators for each of the cyclic 
factors (Cheung and Mosca, 2001; Mosca, 1999). Note that 



' Naively, computing the group operations for an elliptic curve using 
Eqs. (67) and (68) requires slightly more operations than performing or- 
dinary integer multiplication. However, there are ways to improve the run- 
ning time of Shor's algorithm for discrete log over elliptic curve groups, at 
least in certain cases (Cheung et al, 2008). 
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this provides an alternative approach to factoring an integer 
A^: by decomposing the multiplicative group (Z/A^Z)^, we 
learn its size (p(A^), which is sufficient to determine the factors 
of (Miller, 1976; Shoup, 2005). 

More generally, a similar decomposition can be obtained 
for any solvable group (Watrous, 2001a). A finite group G is 
called solvable if there exist elements gi, . . . ,g„, G G such that 

{l}=Ho<Hi<--<H,„ = G, (70) 

where Hj :— {gi,--- ,gj) for each j = Q,l,...,m, and where 
the notation Hi<Hj+\ indicates that Hj is a normal subgroup 
of Hj+\, i.e., that xHj = HjX for every x G Hj+\. (Equiva- 
lently, G is solvable if its derived series contains the trivial 
subgroup.) Every Abelian group is solvable, but the con- 
verse does not hold; for example, 53 = D3 is non-Abelian 
but solvable. Given a generating set for a black-box solvable 
group, there is an efficient probabilistic classical algorithm to 
find §1, . . . ,gm satisfying Eq. (70) for some m = poly (log |G|) 
(Babaief flZ., 1995). To compute the order of G, it suffices 
to compute the orders of the quotient groups Hj/Hj^[ for 
j = 1 , . . . , m, which are necessarily cyclic. We cannot di- 
rectly compute the orders of these groups using Shor's al- 
gorithm since we do not have unique encodings of their el- 
ements. However, Watrous shows that if we are given the uni- 
form superposition |//,_ 1 ) , we can (probabilistically) compute 
\Hj/Hj^i \ using a modified version of Shor's algorithm, and 
also (probabilistically) prepare the state \Hj). By recursing 
this procedure along the normal series Eq. (70) (starting with 
enough copies of \Hq), and maintaining enough copies of the 
intermediate states \Hj), to handle the cases where the algo- 
rithm fails), a quantum computer can calculate |G| in poly- 
nomial time. By straightforward reductions, this also gives 
efficient quantum algorithms for testing membership in solv- 
able groups and for deciding whether a subgroup of a solvable 
group is normal. Similar ideas give a method for determining 
the structure of any Abelian factor group G/H, where H <G 
(Watrous, 2001a); see also (Ivanyos ef aZ., 2003) for related 
work. 



H. Counting points on curves 

Suppose we are given a polynomial / G F^[;ici , . . . ,x„] in n 
variables over the finite field F^^. The set Hf := {x £ F^" : 
/(x) = 0} of solutions to the equation f{x) = is called 
a hypersurface. Counting the number of solutions \Hf \ of 
this equation is a fundamental computational problem. More 
generally, given m polynomials fi, - ■ ■ ,f,„ G ^q[xi , . . . ,x„], we 
may be interested in the number of solutions to the system of 
equations fiix) = ■ ■ ■ = fm (x) = 0. The complexity of such 
counting problems can be characterized in terms of at least 
five parameters: the number m of polynomials, the number n 
of variables, the degrees deg(/)) of the polynomials, the size 
q of the finite field F^^, and the characteristic p of the field, 
where q = p'^ and p is prime. 

The complexity class #P characterizes the difficulty of 
counting the number of values x such that f{x) = 0, where 
/ is an efficiently computable function. One can show that 



for quadratic polynomials over F2, with no restrictions on the 
number n of variables and the number m of polynomials, the 
corresponding counting problem is #P-complete. As #P prob- 
lems are at least as hard as NP problems (see Section 11. D), 
we do not expect quantum computers to solve such count- 
ing problems in time poly(«,m). In fact, the counting prob- 
lem is #P-hard even for a single polynomial in two variables 
(von zur Gathen et ai, 1997) provided we use a sparse repre- 
sentation that only lists the nonzero coefficients of the polyno- 
mial, which allows its degree to be exponential in the size of 
its representation. Using a non-sparse representation, so that 
we aim for a running time polynomial in the degree, the com- 
putational complexity of such counting problems is a more 
subtle issue. 

Here we are concerned with the counting problem for pla- 
nar curves, meaning that we have m = 1 polynomial in n = 2 
variables. (Appendix C contains some crucial background in- 
formation about curves over finite fields for readers unfamil- 
iar with this topic.) A key parameter characterizing the com- 
plexity of this counting problem is the genus g of the curve. 
For a nonsingular, projective, planar curve /, the genus is 
g = i (t/ - 1 ) (c/ - 2), where c/ = deg(/). 

Schoof (1985) gave an algorithm to count the number 
of points on an elliptic curve (for which g = 1) over F^ 
in time poly (log (7). Following results by Pila (1990), 
Adleman and Huang (2001) generalized this result to hy- 
perelliptic curves, giving an algorithm with running time 
(logg')''(''''"'°sg)^ where g is the genus of the curve. For fields 
Fp/ with characteristic p, Lauder and Wan (2002) showed the 
existence of a deterministic algorithm for counting points with 
time complexity poly(/:',r,deg/). While the former algo- 
rithm is efficient for g ~ 0{l), and the latter is efficient for 
p = poly (log ^), neither is efficient without some restriction 
on the genus or the field characteristic. 

On the other hand, Kedlaya (2006) explained how the quan- 
tum algorithm for determining the structure of an unknown 
finite Abelian group (Section IV.G) can be used to count the 
number of points on a planar curve of genus g over F^, in time 
poly (g, log ^). It is probably fair to say that this constitutes not 
so much a new quantum algorithm, but rather a novel applica- 
tion of known quantum algorithms to algebraic geometry. 

In brief, Kedlaya's algorithm counts the solutions of a 
smooth, projective curve Cf of genus g by determining the 
2g nontrivial roots of the corresponding Zeta function Zf{T), 
which are determined from the orders of the class groups 
C\s{Cf) over the different base fields Fp^ for ^ = 1, . . . , \6g. 
As the class groups are all finite Abelian groups, |Cl.s(C/)| 
can be computed in time poly(g,i,log p) by a quantum com- 
puter, thus giving an efficient quantum algorithm for the point 
counting problem. We explain some of the details below. For 
further information, see (Hulek, 2003), (Lorenzini, 1996), and 
the original article by Kedlaya (in increasing order of sophis- 
tication). 

The Zeta function of a curve. Let the polynomial / G Fp[X,y] 
define a smooth, planar, projective curve Cf. To count the 
number of points on this curve in the projective plane P^(Fp), 
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it is useful to consider extensions of the base field. For any 
positive integer r, we define 



A^,- := 1^(1 



where 



C/(F,y):={xeP2(F,0:/W=0} 



(71) 



(72) 



denotes the projective curve defined by / when viewed as a 
polynomial over F^r. 

In terms of these values, we can define the Zeta function 
Zf{T) of the curve C/, namely 



N,- 



(73) 



with T a formal variable, and the exponential function defined 
by the Taylor series exp(jic) = L7=o-*^V Whereas the Rie- 
mann zeta function is used to study the elements and primes 
of the ring Z, the Zeta function of a curve captures the ideals 
and prime ideals of the ring Fp[X,}']/ (/), where (/) denotes 
the ideal generated by /. 

From the proof of Weil's Riemann hypothesis for curves 
(see for example (Lorenzini, 1996, Chap. X)), the Zeta func- 
tion of a smooth, projective curve Cf of genus g has the form 



Zf{T) 



Qf{T) 



{\-pT){\-Ty 



(74) 



where Qf{T) is a polynomial of degree 2g with integer coef- 
ficients. Moreover, Qf{T) has the factorization 



QfiT) 



2g 



ajT) 



(75) 



with CHg+j = a* and \aj\ = y/p for all j. By considering the 
rth derivative of Zf{T) at T = 0, it is easy to see that the values 
a,- determine the numbers Ni^Nt, - ■ ■, and in particular 



2« 



Nr 



a'; 



(76) 



for all r. Thus, if we know the integer coefficients of the de- 
gree 2g polynomial Qf{T),we can infer the number of points 
on the curve f{x) — over ¥^{¥pr). Kedlaya's algorithm cal- 
culates Zf{T), and hence Qf{T), by relating it to the class 
group of the curve, a finite Abelian group. 



The class group of a function field. A divisor D on a curve C 
over Fp is a finite, formal sum over points on the curve ex- 
tended to the algebraic closure Fp of Fp, namely 



D= ^ CP P. 

Pec{¥„) 



(77) 



To be a divisor, D must satisfy three conditions: (1) cp € 
for all P, (2) Y.P \cp\ is finite, and (3) D is invariant under the 



Frobenius automorphism : xi—f x^, i.e., cp = c^jp) for all P. 
The degree of D is the integer deg(D) = Y,p cp- Under point- 
wise addition of the coefficients cp, the divisors of degree 
form the group 



Div(C) := {D:deg(D) =0}. 



(78) 



As explained in Appendix C, for any curve Cf one can de- 
fine iht function field Fp(C/), the field of rational functions 
{g — Sil 82'- gi^ 0}, where gi and §2 are homogeneous poly- 
nomials of equal degree modulo (/), such that g is a function 
on the projective curve C/(Fp). For each such nonzero ratio- 
nal function g E (Cf) we define the corresponding princi- 
pal divisor 

div(^):= £ ordp{g)-P (79) 

P€Cf{f„) 

= ordp(gi)-P- ^ oTdpig2)-P, (80) 

PeCfiWp) PeCfiWp) 

where the nonnegative integer OTdp{gi) is the multiplicity of P 
as a solution to gi ~ 0. In particular, oidp{gi) > 1 if and only 
ifgiiP) = 0, and ordp{gi) = when gi{P) ^ 0. 

For each principal divisor we have deg(div(g)) = 0. For a 
rational curve such as the straight line C = P', the converse 
holds as well: the only divisors of degree are the principal 
divisors of the curve. But it is an important fact that for gen- 
eral curves the converse does not hold. For curves that are not 
rational, i.e., curves of positive genus such as elliptic curves, 
the class group captures the relationship between the group 
Div{Cf) and its subgroup of principal divisors. 

There is a crucial equivalence relation ~ among divisors 
defined by 

Di ~ D2 if and only if Di — D2 is a principal divisor. (81) 

Finally, the (divisor) class group C1(C) of a curve C is defined 
as the group of degree divisors modulo this equivalence re- 
lation: 



C1(C) :=Div(C)/- 



(82) 



Returning to the theory of Zeta functions, it is known that 
the order of C1(C/) can be expressed in terms of the roots aj 

of Zf{T) as 



|Cl(C/)| = n(l-a,) 



(83) 



This fact establishes a close connection between the number 
of points A^i ~ |C/(Fp)| on a curve and the size |C1(C/)| of its 
class group. 

All of the above can repeated while interpreting the polyno- 
mial / as an element of the extended ring Fpi [X, 7] . Indicating 
this change of the base field Fp to its degree s extension Fpi 

with a parenthesized superscript, the Zeta function Z^r\T) has 



2g nontrivial roots a^^' = a^- for j = I,... ,2g, and the class 
group Cl'*'(C/) has order 



|ci(^''(C/)| = fl(i-«5) 



(84) 
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Observe that the change of base field affects the class group 
since the new divisors must be invariant under the Frobenius 
automorphism (|)* : x ^ x'' (which is a weaker restriction than 
the corresponding condition over F,,, making Div'*' {Cf) larger 
than Div(C/)), while the group of principal divisors now al- 
lows all rational functions g € Fpi(C/). 

To illustrate the above definitions, we present the following 
extensive example of the class group of an elliptic curve. 

Example (Point counting and the class group of an elliptic 
curve). Consider the elliptic curve E over F2 defined by the 
equation +XY + 1 =0. The projective version of E 
is defined by the homogeneous equation Y^Z + XYZ + + 
= 0. We want to consider the number of points Nr in the 
projective space P^(F2' )/or various r. 

It is not hard to see that Ni ~ 4 with the four solutions 



Po 



Pi 



Pi 



Pi 



[X:Y:Z) (0:1:0) (1:0:1) (0:1:1) (1:1:1) 

For the first extension field, there are N2 — 8 elements in 
£'(F4); in addition to the previous four points, we now also 
have the solutions 



Pa 



P5 



P6 



Pi 



{X:Y:Z) (co:0:l) (a):co:l) {a? -.a? 



(0+ 1. 



1) 



with CO an element of the field F4 satisfying CO^ 

In general, it can be shown that the number of points on 
EiWr) is 



Nr 



for any r, where a := — i 



V 



a' 



a' 



(85) 



To explore the class group C\{E) of this curve, we start by 
considering some principal divisors. For the linear functions 
in X,Y^Z we find the following (degree 3) divisors: 



OXdp{f) 


Po 


Pi 


Pi 


P3 P4 P5 Pe Pi 


X 


1 




2 




Y 




1 




1 1 


Z 


3 








X + Y 








1 1 1 


X+Z 


1 


1 




1 


Y+Z 






1 


2 


X + Y + Z 




2 


1 





Frotn this table we see, for example, that the principal divisor 
of X jZ equals -2P(^ + 2P2, and that dw{{X + Y + Z)/{X + 
Z)) = — Po +^"1 +Pl ^Pi- (Note also that in this function field 
we have equalities such as X^ + YZ = {X +Z)'^{Y +Z)/{X + 
Y+Z), which confirms that dw{X^ + YZ) ^ 2div(X +Z) + 
div(}' + Z)-div(X + y + Z) =2Po+4P3.) 

One can also show that Pq — Pi is not a principal divisor, 
and hence that Cl{E) is nontrivial. In fact, there are four 
different elements Cj of the class group, which we can indicate 
by the representatives 



Co 


Ci 


Ci 


Ci 





Po-Pi 


Po-Pi 


Po-Pi 



(Note however that these representatives are far from unique, 
as for example -Pq + Pi + P2 - P3 = div{{X + Y + 
Z)/{X +Z)).) One can verify that the elements of C\{E) act 
as the group Z/4Z, with Cx + Cy ~ Cx+yfor any x,y ^ Z/4Z. 

Performing similar calculations over the extension field F21, 
one can show that in general. 



|Cl(")(£)| = (1 -a")(l -a-*') =2" + l -tf-a", (86) 
where a is as in Eq. (85). This concludes our example. 



While for elliptic curves the number of points on the curve 
equals the number of elements of the corresponding class 
group, this coincidence does not persist for general curves 
with genus different from 1 . However, the class group is nev- 
ertheless always a finite Abelian group, which can be explored 
using the quantum algorithm of Section IV.G. 



Kedlaya's algorithm. Finally, we describe the quantum algo- 
rithm of Kedlaya (2006) for counting the points on a curve 
over a finite field. 

Algorithm 7 (Point counting). 

Input: A nonsingular, planar, projective curve Cf defined by a 
polynomial f G F^JX, F]. 

Problem: Determine the number of solutions |C/(F^r)| of the 
equation f = in the projective plane P^(F^r). 

7. Let g ~ j{d — 1) {d — 2) be the genus of the curve, where 
d^degif). 

2. For s = 1,2, ... , I6g: 

(a) Construct the class group Cl''^' (Cf)- 

(b) Using the algorithm of Section IV.G, determine 
|ClM(C/)|. 

3. Using the calculated group sizes and the equalities 

|Cl(^'(C/)Hn(l-«5) (87) 



for s = 1,2,..., 16^, determine the roots (Xj. 

4. Compute N,- = |C/(F,/, ) | =q''+l- ijli a^. 

Several aspects of this algorithm are beyond the scope of 
this article, most notably the issue of uniquely representing 
and manipulating the elements of the class group Cl{Cf) in 
such a way that they can be sampled (nearly) uniformly, facil- 
itating finding a set of generators. For an explanation of this 
and other issues, we refer the reader to the original article and 
references therein. 

In conclusion, note that the above quantum algorithm has 
running time polynomial in the parameters logp'^ and g, 
whereas the best known classical algorithms are either ex- 
ponential in g (Adleman and Huang, 2001), or exponential in 
log p (Lauder and Wan, 2002). Whether it is possible to gener- 
alize Kedlaya's algorithm for curves to more general surfaces. 
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i.e., to polynomials / with more than 2 variables, remains an 
open question. The best known classical result for this prob- 
lem is that of Lauder and Wan (2002), who described an algo- 
rithm with running time poly (p" , r" , deg (/)" ) . 



>'I 



2 3 

3 2 
5 9 



V. QUANTUM ALGORITHMS FOR NUMBER FIELDS 

A. Pell's equation 

Given a squarefree integer d (i.e., an integer not divisible 
by any perfect square), the Diophantine equation 



13 
14 

6009 



649 
15 



(88) 



1316340106327253158 
9259446951059947388 
4013975 ^ 1.3 X lO^^ 

6013 40929908599 



180 
4 



1698114661157803451 
6889492378831465766 
81644 1.6 X lO''^ 

527831340 



is known as Pell's equation. This appellation provides a nice 
example of Stigler's Law of Eponymy (Stigler, 1980) in ac- 
tion, as Pell had nothing whatsoever to do with the equa- 
tion. The misattribution is apparently due to Euler, who con- 
fused Pell with a contemporary, Brouncker, who had actually 
worked on the equation. In fact. Pell's equation was studied in 
ancient India, where (inefficient) methods for solving it were 
developed hundreds of years before Pell (Lenstra, 2002). (In- 
deed, Lenstra has suggested that most likely, Pell was named 
after the equation.) 

The left hand side of Pell's equation can be factored as 



dy^ — {x+yVd){x—y\/d). 



(89) 



Note that a solution of the equation {x^y) € 1? can be encoded 
uniquely as the real number x ^-yv^: since ^/d is irrational, 
x + yy/d = w + zVd if and only if {x,y) — (w,z). Thus we 
can also refer to the number x+y^/d as a solution of Pell's 
equation. 

There is clearly no loss of generality in restricting our at- 
tention to positive solutions of the equation, namely those for 
which X > and y > 0. It is straightforward to show that if 
Xl +yi\/d is a positive solution, then {xi +yi\/d)" is also a 
positive solution for any n G N. In fact, with xi +yi^/d the 
smallest positive solution of the equation, called the funda- 
mental solution, one can show that all positive solutions equal 
{xi +yi\/d)" for some n G N. Thus, even though Pell's equa- 
tion has an infinite number of solutions, we can in a sense find 
them all by finding the fundamental solution. 

Some examples of fundamental solutions for various val- 
ues of d are shown in Table I. Notice that while the size of 
the fundamental solution generally increases with increasing 
d, the behavior is far from monotonic: for example, xi has 
44 decimal digits when d ~ 6009, but only 1 1 decimal digits 
when c/ = 6013. In general, though, it is possible for the so- 
lutions to be very large: the size of xi +yiVd is only upper 
bounded by 2'^(^'°s^'). Thus it is not even possible to write 
down the fundamental solution with poly (log bits. 

To get around this difficulty, we define the regulator of the 
fundamental solution. 



TABLE I Some examples of fundamental solutions of Pell's equa- 
tion — dy^ = 1 for different input values d (Jozsa, 2003). 

Since R = 0{\/d\ogd), we can write down \R\, the nearest 
integer to R, using 0{\ogd) bits. Since R is an irrational num- 
ber, determining only its integer part may seem unsatisfac- 
tory, but in fact, given \R'\ , there is a classical algorithm to 
compute n digits of R in time poly (log c/,n). Thus we will 
be satisfied with an algorithm that finds the integer part of 
R in time poly(logc/). The best known classical algorithm 
for this problem runs in superpolynomial time (for more de- 
tails, see Section V.E). In contrast, Hallgren (2007) gave a 
polynomial-time quantum algorithm for computing \R'\ . For 
a self-contained review of Hallgren's algorithm, see (Jozsa, 
2003). 



B. From Pell's equation to the unit group 

Given a squarefree positive integer d, the quadratic number 
field Q[\/t/] is defined as 



[Vd] := {x + yVd : x,y E ' 



(91) 



It is easy to check that Q [v t/] is a field with the usual addition 
and multiplication operations. We also define an operation 
called conjugation as 



: + yVd : 



yVd. 



(92) 



One can easily check that conjugation of elements of (Q)[\/c/] 
has many of the same properties as complex conjugation, and 
indeed Q[Vd] behaves in many respects like C, with \/d tak- 
ing the place of the imaginary unit i = \/"-T. Defining the ring 

as 



Z[\/d] ■.= {x + yVd:x,y(EZ}, 



(93) 



R ;= log(xi +yiVd). 



(90) 



we see that solutions of Pell's equation correspond to those 
^ e Z[\/d] satisfying = 1. 

Notice that any solution of Pell's equation, ^ € Z[\/d], has 
the property that its multiplicative inverse over Q[^/d], = 
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l/^l = |, is also an element of Tjl^/d]. In general, an element 
of a ring with an inverse that is also an element of the ring is 
called a unit. In Z, the only units are ±1, but in other rings it 
is possible to have more units. 

It should not be a surprise that the units of Z[\/c7] are closely 
related to the solutions of Pell's equation. In particular, t, ~ 
X + y^/d is a unit in Z[^/d] if and only if = x^ — dy^ = ± 1 . 
To see this, we note that 



i 
^1 



-dy^ 



(94) 



and if x2 - c/y^ = ±1, then clearly t,-^ ^±^e Z[Vd]. Con- 
versely, if e Z[\/c/], then so is 



1^ 



{x ~ y\fd) (x + y\fd) 
(x2 - dy'^Y 



• — dy^ 



(95) 



which shows thatx^ — dy^ = ±1. 

The set of units in l\\fd\ forms a group under multipli- 
cation called the unit group. This group is given by {±£j : 
n G Z}, where Ei is the aforementioned fundamental unit, the 
smallest unit greater than 1 . The proof of this fact is essen- 
tially the same as the proof that all solutions of Pell's equation 
are powers of the fundamental solution. 

If we can find Ei , then it is straightforward to find all the so- 
lutions of Pell's equation. If Ei = x + ja/c/ has jc^ — ^fy2 = + 1 , 
then the units are precisely the solutions of Pell's equation. 
On the other hand, if x^ — dy^ = — 1, then E2 '■= s\ satisfies 
E2E2 = EiEi = (—1)2 = 1; in this case the solutions of Pell's 
equation are {iE^" : n e Z}. Thus our goal is to find Ei. Just 
as in our discussion of the solutions to Pell's equation, Ei is 
too large to write down, so instead we compute the regulator 
of the fundamental unit, :~ logEi. 

Example. Consider the quadratic number field Q[\/5] cind 
the corresponding ring Z[\/5]- The unit group of Z[\/5] 
has the fundamental unit Ei = 2 + VS, whose regulator is 
3i =log(2 + \/5) ~ 1.44. Here EiEi = —1, so the fundamental 
solution of Pell's equation is x\ +y\ V5 = E?=9+4V5. Thus 
the set of positive solutions to Pell 's equation x^ — Sy^ = 1 is 



{(x^,w):xi+wV5 = (9 + 4V5)^^eN}. 



(96) 



C. Periodic function for Pell's equation 



To define a periodic function that encodes ^, we need to 
introduce the concept of an ideal of a ring (and more specifi- 
cally, a principal ideal). For any ring R, we say that I C R is 
an ideal if it is closed under integer linear combinations and 
under multiplication by arbitrary elements of R. For example, 
2Z is an ideal of Z. We say that an ideal is principal if it is 
generated by a single element of the ring, i.e., if it is of the 
form aR for some aE R; thus 2Z is a principal ideal. 

Principal ideals are useful because the function mapping the 
ring element ^ e Z[^/d] to the principal ideal ^ is periodic, 
and its periodicity corresponds to the units of Z[\/c7]. Specifi- 
cally, ^I.[Vd] = C,Z[Vd] if and only if ^ = Ce where E IS a unit 



m Z[W]. To see this, note that if E is a unit, then ^Z[\/c/] = 
CEZ[^/Z] = !;Z[Vd] since EZ[^A/] = Z[Vd] by the definition 
of a unit. Conversely, suppose that ^Z[-\/t/] — C,Z[y/d]; then, 
since 1 G Z[\/c/], we have ^ e ^Z[\/c/] = C,Z[Vd], so there is 
some /J e Z[\/c7] satisfying ^ = Cjj. Similarly, ^ S ^Z[\/c/] = 
^Z[\/c/], so there is some v <E Z\\fd\ satisfying ^ = ^v. Thus 
we have ^ = ^ = ^v/j. This shows that v/j = 1, so /j and v are 
units (indeed, v = pT^). 

As a result, the function g (^) = ^Z \\fd\ is (multiplicatively) 
periodic with period Ei. In other words, letting ^ = e', the 
function 



h(z)=e^z{^fd\ 



(97) 



is (additively) periodic with period . However, we cannot 
simply use this function since it is not possible to succinctly 
represent the values it takes. 

To define a more suitable periodic function, one can use 
the concept of a reduced ideal. We will not describe the 
details here. However, one can show that there are only 
finitely many reduced principal ideals, and indeed only 0(d) 
of them, so that we can represent a reduced principal ideal 
using poly (log c/) bits. 

It is also helpful to have a way of measuring the distance 8 
of any principal ideal from the unit ideal, \Z\\fd\ — Z\\fd\. 
Such a function can be defined by 



5(^Z[V^]) :=log 



mod 



(98) 



Notice that the unit ideal has distance h(VL\\fd\) = 
log 1 1 / 1 1 mod Si;, = 0, as desired. Furthermore, the distance 
function does not depend on which generator we choose to 
represent an ideal, since two equivalent ideals have generators 
that differ by some unit E = e" , and 



8(eZ[\/^]) =21og|E| mods?, = 0. 



(99) 



With this definition of distance, one can show that there is a 
reduced ideal close to any non-reduced ideal. 

The periodic function /(z) used in Hallgren's algorithm is 
defined as the reduced principal ideal whose distance from 
the unit ideal is maximal among all reduced principal ideals 
of distance at most z (together with the distance from z, to 
ensure that the function is injective within each period). In 
other words, we select the reduced principal ideal "to the left 
of, or at, z." 

This function / is periodic with period %_ , and one can show 
that it can be computed in time poly(logc/). However, since 

is in general irrational, it remains to see how to perform 
period finding for such a function. 



D. Period finding over R 

Suppose we are given a function / : R ^ 5 satisfying 

fix) = /(y) if and only if ^—^ e Z (100) 
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for some r S M, for all x,y £ R. Here we consider how Shor's 
period-finding algorithm (Section IV.D) can be adapted to 
find an approximation to r, even if it happens to be irrational 
(Hallgren, 2007). 

Of course, to perform period finding on a digital computer, 
we must discretize the function. We must be careful about 
how we perform this discretization. For example, suppose that 
5 = M. If we simply evaluate / at equally spaced points and 
round the resulting values to obtain integers, there is no reason 
for the function values corresponding to inputs separated by 
an amount close to the period to be related in any way what- 
soever. It could be that the discretized function is injective, 
carrying absolutely no information about the period. 

Instead we will discretize in such a way that the resulting 
function is pseudoperiodic. We say that / : Z ^ 5 is pseu- 
doperiodic at k Cz Z with period r G M if for each ^ € Z, ei- 
ther f{k) = f{k + [er] ) or f{k) = f{k - [£r] ). We say that 
/ is z-pseudoperiodic if it is pseudoperiodic for at least an e 
fraction of the values = 0, 1 , . . . , [rj . We will require that 
the discretized function is e-pseudoperiodic for some constant 
e, and that it is injective on the subset of inputs where it is 
pseudoperiodic. The periodic function encoding the regulator 
of Pell's equation can be constructed so that it satisfies these 
conditions. 

The algorithm for period finding over M closely follows Al- 
gorithm 5. Again the basic approach is Fourier sampling over 
Z /N'L, with depending on some a priori upper bound on the 
period. 

Algorithm 8 (Period finding for a pseudoperiodic function). 
Input: Black box f \ Tj~^ S that is e-pseudoperiodic (for some 
£ = with period r € R. 

Problem: Approximate r. 

1. Prepare the uniform superposition \LlN'E). 

2. Query the pseudoperiodic function in an ancilla regis- 
ter, giving 



7^ E l-./W)- 

V ^ xeZ/NZ 



(101) 



3. Discard the ancilla register, so that the first register is 
left in a uniform superposition over those x for which 
f(x) takes some particular value. With constant proba- 
bility, this is a value at which f is pseudoperiodic. Sup- 
pose that this value is /(xq) where < xq < r. As in 
step 3 of Algorithm 5, the first register is a superposi- 
tion over n K N / r points, with the rounding depending 
on the particular value ofxQ. Let us write [£] to denote 
an integer that could be either [i\ or \£~\ . With this no- 
tation, we obtain the state 



'1-1 



[jr]] 



(102) 



4. Perform the Fourier transform over Z/A^Z, giving 



1 



CO; 



\k). 



(103) 



We have [jr] = jr + dj where — 1 < 5^ < 1, so the sum 
over j above is 



(104) 



7=0 



When the offsets dj are zero, this is simply Eq. (56), 
which we have already shown is strongly peaked around 
values of k close to integer multiples of N jr. To com- 
pare with this case, we compute the deviation 



n— 1 ,5 n— I n— 1 „ 



;=o 



(0 



II 



nkn 



N 



< 



2N 



(105) 

(106) 
(107) 



This bound does not show that the amplitudes are close 
for all values of k. However, suppose we restrict our 
attention to those values ofk less than N / log r. (We ob- 
tain such a k with probability about 1 /logr, so we can 
condition on such a value with only a polynomial in- 
crease in the overall running time.) Then ifk = [yW/r] 
for some j £ Z, we find (using Eq. (60)) 



1 



n-l 



CO 



nNpo 



1 



(108) 



5. Measure the state of Eq. (103) in the computational 
basis. As in step 5 of Algorithm 5, we sample from 
a distribution in which some value k = [yW/r] (with 
j e Zj appears with reasonably large probability (now 
n ( 1 / poly {\og r)) instead of qI\)). 

6. Finally, we must obtain an approximation to r using 
these samples. Since r is not an integer, the procedure 
from step 6 of Algorithm 5 does not suffice. However, we 
can perform Fourier sampling sufficiently many times 
that we obtain two values [yW/r] , [/A^/r] where j 
and f are relatively prime, again with only polyno- 
mial overhead. It can be shown that if N > 3r^, then 
i I f guaranteed to be one of the convergents in 
the continued fraction expansion of \_jN/r~\ / \_fN/r~\. 
Thus we can learn j, and hence compute jN / ljN/r~\, 
which gives a good approximation to r: in particular, 
\r-[jN/[jN/r^^\<l. 



E. The principal ideal problem and number field cryptography 

Pell's equation is closely related to another problem in al- 
gebraic number theory called the principal ideal problem. Fix 
a quadratic number field Q[Vd], and suppose we are given 
an invertible ideal /, an ideal for which there exists some 
J C Q[\/t/] with // = 1\\f3\. In the principal ideal problem, 
we are asked to decide whether there is some a £ lJ\\fd\ such 
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that / = <x'L\\fd\ (i.e., whether / is principal), and if so, to 
find that a (or more precisely, [log a]). Notice that comput- 
ing a can be viewed as an analog of the discrete logarithm 
problem in lJ\\f3\. Using similar ideas as in the algorithm for 
solving Pell's equation, and proceeding along similar lines to 
Algorithm 3, Hallgren (2007) also gave an efficient quantum 
algorithm for the principal ideal problem. 

The integer factoring problem reduces to solving Pell's 
equation, and Pell's equation reduces to the principal ideal 
problem (Buchmann and Williams, 1990); but no reductions 
in the other direction are known. Indeed, whereas factor- 
ing is conjectured to be possible with a classical computer 
in time 20((i°S'')'^'('°gi°g'')'^'), the best known classical algo- 
rithms for Pell's equation and the principal ideal problem both 
take time 2''(\/'°g'"°siogf/) assuming the generalized Riemann 
hypothesis, or time (9 poly (log t/)) with no such assump- 
tion (Buchmann, 1990; Vollmer, 2000). Motivated by the pos- 
sibility that the principal ideal problem is indeed harder than 
factoring, Buchmann and Williams proposed a key exchange 
protocol based on it (Buchmann and Williams, 1990). This 
system is analogous to the Diffie-Hellman protocol discussed 
in Section IV.B.l, but instead of exchanging integers, Alice 
and Bob exchange reduced ideals. Hallgren's algorithm shows 
that quantum computers can efficiently break the Buchmann- 
Williams cryptosystem. 



F. Computing the unit group of a general number field 



roots; then the number of fundamental units is r = 5 + f— 1. 
Let 01 , . . . , 9 s be the s real roots, and let O^+i , . . . , 9i+r be t 
complex roots that, together with their complex conjugates 
9*^[, . . . ,9*^p constitute all 2f complex roots. For each j = 
1 , . . . , i + f , we can embed IK in C with the map : K ^ C that 
replaces 9 by 9y. Then we define a function L : W^' as 

L{x) (log|oiW|,...,log|a,(.x)|, ^^^^^ 
2 log I o,+ 1 (x) I , . . . , 2 log I o,.+, (jc) I ) . 

By Dirichlet's theorem, L{U (K)) is an r-dimensional lattice in 
]R''+' whose coordinates (yi , . . . ,yr+i) obey Ly-yy ~ (Cohen, 
1993, Thm. 4.9.7). The unit group problem is essentially 
equivalent to finding a basis for this lattice, i.e., determining 
the periodicity of L(x). Note that since the lattice has dimen- 
sion r, we can restrict our attention to any r components of 
L{x), thereby giving a period finding problem over R' . 

There are two main parts to the quantum algorithm for com- 
puting the unit group, again paralleling the algorithm for Pell's 
equation. First, one must show how to efficiently compute 
the function L{x), or more precisely, a related function that 
hides the same lattice, analogous to the function discussed 
in Section V.C (and again based on the concept of a reduced 
ideal). Second, one must generalize period finding over K 
(Section V.D) to period finding over W. All relevant compu- 
tations can be performed efficiently provided the degree of K 
is constant, giving an efficient quantum algorithm for the unit 
group problem in this case. 



Recall from Section V.B that the quantum algorithm for 
solving Pell's equation proceeds by computing the fundamen- 
tal unit of the unit group of Z[\/d]. More generally, there 
is an efficient quantum algorithm to compute the unit group 
of an arbitrary number field of fixed degree (Hallgren, 2005; 
Schmidt and Vollmer, 2005), which we briefly summarize. 

In general, an algebraic number field (or simply number 
field) K = Q[9] is a finite extension of the field Q of rational 
numbers. Here 9 is a root of some monic irreducible polyno- 
mial over Q called the minimal polynomial. If the minimal 
polynomial has degree n, we say that K is a number field of 
degree n. For example, the quadratic number field has 
the minimal polynomial — d, and hence is of degree 2. 

For a general number field, the units are defined as the al- 
gebraic integers of that field whose inverses are also algebraic 
integers. In general, the units form a group under multiplica- 
tion. Just as the units of a quadratic number field are powers 
of some fundamental unit, it can be shown that the unit group 
U{K) of any number field K consists of elements of the form 
^e"' • • -e"'' for «!,...,«,. e Z, where ^ is a root of unity and 
£!,...,£, are called the fundamental units (with r defined be- 
low). Given a number field of constant degree (say, in terms 
of its minimal polynomial), ^ can be computed efficiently by 
a classical computer. The unit group problem asks us to com- 
pute (the regulators of) the fundamental units Ei , . . . , e^. 

As in the quantum algorithm for solving Pell's equation, we 
can reduce this computation to a period-finding problem. To 
see how the periodic function is defined, suppose the mini- 
mal polynomial of IK has s real roots and t pairs of complex 



G. The principal ideal problem and the class group 

We conclude our discussion of quantum algorithms for 
number fields by mentioning two additional problems with ef- 
ficient quantum algorithms. 

In Section V.E, we saw that the efficient quantum algo- 
rithm for Pell's equation can be adapted to efficiently decide 
whether a given ideal is principal, and if so, to compute (the 
regulator of) its generator More generally, the principal ideal 
problem can be defined for any number field, and the tech- 
niques discussed in Section V.F can be appUed to give an effi- 
cient quantum algorithm for it whenever the number field has 
constant degree (Hallgren, 2005). 

A related problem is the task of computing the class group 
C1(K) of a number field K. The class group is defined as 
the set of ideals of IK modulo the set of principal ideals of 
IK; it is a finite Abelian group. The class group problem asks 
us to decompose C1(K) in the sense of Section IV.G. As- 
suming the generalized Riemann hypothesis (GRH), there is a 
polynomial-time algorithm to find generators of C1(K) (Thiel, 
1995). If IK = li] is an imaginary quadratic number 

field, then its elements have unique representatives that can 
be computed efficiently, and C1(K) can be decomposed using 
the procedure of (Cheung and Mosca, 2001; Mosca, 1999). 
More generally, it is not known how to uniquely represent the 
elements of CI (IK) in an efficiently computable way. How- 
ever, we can take advantage of the technique introduced in 
(Watrous, 2001a) for computing over quotient groups, namely 
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to represent a coset by the uniform superposition of its ele- 
ments. Using this idea, it can be shown that there is an ef- 
ficient quantum algorithm for decomposing C1(K), provided 
IK has constant degree and assuming the GRH (Hallgren, 
2005) (see (Hallgren, 2007) for the special case of a real 
quadratic number field). In particular, we can efficiently com- 
pute I Cl(IK) |, the class number of the number field K, just as 
Kedlaya's algorithm does for curves (Section IV.H). 



VI. NON-ABELIAN QUANTUM FOURIER TRANSFORM 

In Section IV, we saw that the Abelian Fourier transform 
can be used to exploit the symmetry of an Abelian HSP, and 
that this essentially gave a complete solution. In the non- 
Abelian version of the HSP, we will see that a non-Abelian 
version of the Fourier transform can similarly be used to ex- 
ploit the symmetry of the problem. However, in general, this 
will only take us part of the way to a solution of the non- 
AbeUan HSP. 



A. The Fourier transform over a non-Abelian group 

We begin by discussing the definition of the non-Abelian 
Fourier transform. For a more extensive review of Fourier 
analysis on finite groups, we recommend the books by 
Diaconis (1988); Serre (1977); Terras (1999). Here we as- 
sume knowledge of group representation theory; see Ap- 
pendix B for a summary of the requisite background. 

The Fourier transform of the state \x) corresponding to the 
group element jc g G is a weighted superposition over a com- 
plete set of irreducible representations G, namely 



1 



^ t/o|a,o(x)), 



(110) 



where da is the dimension of the representation o, |o) is a state 
that labels the irreducible representation (or irrep), and |o(x)) 
is a normalized, t/^-dimensional state whose amplitudes are 
given by the entries of the da x da matrix o(x) / \/d^: 



|o(x)):=(a(x)®U)£M 
;ti Vda 

j.k=i 



fd^ 



(111) 



(112) 



Here a(x) is a unitary matrix representing the group element 
X G G; we have Q(x)<5{y) = <5(xy) for all x,y G G. (If O is one 
dimensional, then |a(x)) is simply a phase factor o(jc) G C 
with \<s{x) \ = 1.) In other words, the Fourier transform over G 
is the unitary matrix 



AGO 



(113) 
(114) 



Note that the Fourier transform over a non-Abelian G is not 
uniquely defined, but rather, depends on a choice of basis for 
each irrep of dimension greater than 1 . 

It is straightforward to check that Fq is indeed a unitary 
transformation. Using the identity 

{o{y)\o{x))=Tr{o''(y)o(x))lda = Xa{y-'x)lda. (115) 

we have 



OGG 



aeG ' 



(116) 



(117) 



Hence by Eqs. (B5) and (B6) in Appendix B, we see that 
(y|i) = b^.y. 

As noted in Appendix B, Fq is precisely the transformation 
that simultaneously block-diagonalizes the actions of left and 
right multiplication, or equivalently, that decomposes both the 
left and right regular representations of G into their irreducible 
components. Let us check this explicitly for the left regular 
representation L of G. This representation satisfies L{x) \y) ~ 
\xy) for all x,^ G G, so 



Lix):^FGL{x)F^ 

= I|iy)(j| 

yeG 

'la da' / J J , 
V aaO-a' 

yeGa.a'eGj^k=lj':k'=i 1^' 

<^{xy)j,k<^'{y)}.k' \o,j,k){a'j',k' 



(118) 
(119) 



(120) 



L E L L 

yGGcT,o'GG),W=l/,*:'=l 



2^ y/dada' 



a{x)jja{y)e,ko'iy)*,^,, \aj,k){a'j',k'\ (121) 

da 

: £ £ a{x)jj,\a,j,k){a,£,k\ (122) 
aeGj,k,e=l 



:0(o(x)®l^J, 
OGG 



(123) 



x^GaeG 



where in the fourth line we have used the orthogonality rela- 
tion for irreps (Theorem 5 in Appendix B). 

A similar calculation can be done for the right regular rep- 
resentation defined by R{x)\y) = lyx^'), giving 

R{x):^FgR{x)fI (124) 
= 0(lrfa®(jW*)- (125) 

OGG 

This identity will be useful when analyzing the application of 
the quantum Fourier transform to the hidden subgroup prob- 
lem in Section VII. 



24 



B. Efficient quantum circuits 

In Section III.B, we described efficient quantum circuits 
for implementing the quantum Fourier transform over any fi- 
nite Abelian group. Analogous circuits are known for many, 
but not all, non-Abelian groups. Just as the circuit for the 
QFT over a cyclic group parallels the usual classical fast 
Fourier transform (FFT), many of these circuits build on 
classical implementations of FFTs over non-Abelian groups 
(Beth, 1987; Clausen, 1989; Diaconis and Rockmore, 1990; 
Maslen and Rockmore, 1995; Rockmore, 1990). Here we 
briefly summarize the groups for which efficient QFTs are 
known. 

H0yer ( 1 997) gave efficient circuits for the quantum Fourier 
transform over metacyclic groups (i.e., semidirect products 
of cyclic groups), including the dihedral group, and over the 
Pauli group on n qubits. An alternative construction for cer- 
tain metacyclic 2-groups is given in (Piischel ef a/., 1999). 
Reals gave an efficient implementation of the QFT over the 
symmetric group (Beals, 1997). Finally, Moore et al. (2006) 
gave a general construction of QFTs, systematically quan- 
tizing classical FFTs. For example, this approach yields 
polynomial-time quantum circuits for Clifford groups, the 
symmetric group, the wreath product of a polynomial-sized 
group, and metabelian groups. 

There are a few important groups for which efficient quan- 
tum Fourier transforms are not known. These include the 
classical groups, such as the group GL„(Fg) of n x n invert- 
ible matrices over a finite field with q elements. However, it 
is possible to implement these transforms in subexponential 
time (Moore et al, 2006). 



VII. NON-ABELIAN HIDDEN SUBGROUP PROBLEM 

We now turn to the general, non-Abelian version of the 
hidden subgroup problem. We begin by stating the problem 
and describing some of its potential applications. Then we 
describe the standard way of approaching the problem on a 
quantum computer, and explain how the non-Abelian Fourier 
transform can be used to simplify the resulting hidden sub- 
group states. This leads to the notions of weak and strong 
Fourier sampling; we describe some of their applications and 
limitations. Then we discuss how multi-register measure- 
ments on hidden subgroup states can potentially avoid some of 
those limitations. Finally, we describe two specific algorith- 
mic techniques for hidden subgroup problems: the Kuperberg 
sieve and the pretty good measurement. Note that some of the 
results presented in Section VIII, on the hidden shift problem, 
also give algorithms for the non-Abelian HSP. 



A. The problem and Its applications 

The non-Abelian hidden subgroup problem naturally gen- 
eralizes the Abelian HSP considered in Section IV. In the 
hidden subgroup problem for a group G, we are given a black 
box function f : G ^ S, where 5 is a finite set. We say that / 



hides a subgroup H <G provided 

f{x) — f{y) if and only if x^^y <E H 



(126) 



(where we use multiplicative notation for non-Abelian 
groups). In other words, / is constant on left cosets 
H,giH,g2H, . . . of // in G, and distinct on different left cosets. 
We say that an algorithm for the HSP in G is efficient if it runs 
in time poly (log | G |) . 

The choice of left cosets is an arbitrary one; we could just as 
well define the HSP in terms of right cosets H,Hg\,Hg'2, . . ., 
by promising that f{x) = f{y) if and only if xy^' e H. But 
here we will use the definition in terms of left cosets. 

The non-Abelian HSP is of interest not only because it gen- 
eralizes the Abelian case in a natural way, but because a so- 
lution of certain non-Abelian HSPs would have particularly 
useful applications. The most well-known (and also the most 
straightforward) applications are to the graph automorphism 
problem and the graph isomorphism problem (Beals, 1997; 
Boneh and Lipton, 1995; Ettinger and H0yer, 1999; H0yer, 
1997). 

In the graph automorphism problem, we are given a graph 
r on n vertices, and our goal is to determine its automor- 
phism group. We say that 7t G S„ is an automorphism of Y if 
7t(r) = r. The automorphisms of Y form a group AutP < 5,,; 
if Autr is trivial then we say Y is rigid. We may cast the graph 
automorphism problem as an HSP over S„ by considering the 
function f{%) : = k(Y), which hides AutF. 

In the graph isomorphism problem, we are given two con- 
nected graphs r,r', each on n vertices, and our goal is to 
determine whether there is any permutation K G S„ such that 
Jt(r) — F', in which case we say that F and F' are isomor- 
phic. We can cast graph isomorphism as an HSP in the wreath 
product S„lS2 < S2n- (The wreath product group G I T, where 
T < S„,, is the semidirect product G™ x T, where T acts to 
permute the elements of G'".) Writing the elements of S„ I S2 
in the form {a,Z,b) where a,Z E S„ represent permutations of 
r,r', respectively, and b G {0, 1} denotes whether to swap the 
two graphs, by defining 



(a(r),T(r')) b^Q 
(a(r'),T(r)) b = i. 



(127) 



The function / hides the automorphism group of the disjoint 
union of F and F'. This group contains an element that swaps 
the two graphs, and hence is at least twice as large as | AutFj • 
I AutF' |, if and only if the graphs are isomorphic. In particular, 
if r and F' are rigid (which seems to be a hard case for the HSP 
approach to graph isomorphism, and in fact is equivalent to the 
problem of deciding rigidity (Hoffmann, 1982, Sec. VI. 6)), 
the hidden subgroup is trivial when F, F' are non-isomorphic, 
and has order two, with its nontrivial element the involution 
(7i:,7i:-',l), when r = 7i:(r'). 

The graph automorphism and graph isomorphism problems 
are closely related. The decision version of graph isomor- 
phism is polynomial-time equivalent to the problems of find- 
ing an isomorphism between two graphs provided one ex- 
ists, counting the number of such isomorphisms, finding the 
automorphism group of a single graph, and computing the 
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size of this automorphsim group (Hoffmann, 1982). Decid- 
ing whether a graph is rigid (i.e., whether the automorphsim 
group is trivial) can be reduced to general graph isomorphism, 
but the other direction is unknown, so deciding rigidity could 
be an easier problem (Kobler et ai, 1993). 

We should point out the possibility that graph isomor- 
phism is not a hard problem, even for classical computers. 
There are polynomial-time classical algorithms for many spe- 
cial cases of graph isomorphism, such as when the maxi- 
mum degree is bounded (Luks, 1982), the genus is bounded 
(Filotti and Mayer, 1980; Miller, 1980), or the eigenvalue 
multiplicity is bounded (Babaiefa/., 1982). Furthermore, 
there are classical algorithms that run in time 2''''^"'°8") for 
general graphs (BabaiefaL, 1983); and in time 2^^'^' for 
strongly regular graphs (Spielman, 1996), which are suspected 
to be some of the hardest graphs for the problem. Even 
if there is a polynomial-time quantum algorithm for graph 
isomorphism, it is plausible that the HSP in the symmetric 
group might be substantially harder, since the graph structure 
is lost in the reduction to the HSP. Indeed, solving the HSP 
in the symmetric group would equally well solve other iso- 
morphism problems, such as the problem of code equivalence 
(Ettinger and H0yer, 1999), which is at least as hard as graph 
isomorphism, and possibly harder (Petrank and Roth, 1997). 

The second major potential application of the hidden sub- 
group problem is to lattice problems. An ^-dimensional lattice 
is the set of all integer linear combinations of « linearly inde- 
pendent vectors in R" (a basis for the lattice). In the shortest 
vector problem, we are asked to find a shortest nonzero vec- 
tor in the lattice (see for example Micciancio and Goldwasser 
(2002)). In particular, in the g(n)-unique shortest vector 
problem, we are promised that the shortest nonzero vec- 
tor is unique (up to its sign), and is shorter than any other 
non-parallel vector by a factor g{n). This problem can be 
solved in polynomial time on a classical computer if g{n) = 
(1 +e)"(") (Lenstraef fl/., 1982), and indeed even if g{n) = 
2n(«iogiog„/iogn) (^jj^j 2001; Schnorr, 1987). The prob- 
lem is NP-hard if g{n) = (9(1) (Ajtai, 1998; van Emde Boas, 
1981; Micciancio, 2001); in fact, even stronger hardness re- 
sults are known (Khot, 2005). Even for g{n) = poly(«), 
the problem is suspected to be hard, at least for a classi- 
cal computer. In particular, the presumed hardness of the 
(9(«^)-unique shortest vector problem is the basis for a cryp- 
tosystem proposed by Ajtai (1996); Ajtai and Dwork (1997); 
Micciancio and Goldwasser (2002), and a subsequent im- 
provement by Regev (2003) requires quantum hardness of the 
C>(«^'^)-shortest vector problem. 

Regev showed that an efficient quantum algorithm for the 
dihedral hidden subgroup problem based on the standard 
method (described below) could be used to solve the poly(n)- 
unique shortest vector problem (Regev, 2004a). Such an al- 
gorithm would be significant since it would break these lat- 
tice cryptosystems, which are some of the few proposed cryp- 
tosystems that are not compromised by Shor's algorithm. 

So far, only the symmetric and dihedral hidden subgroup 
problems are known to have applications to natural problems. 
Nevertheless, there has been considerable interest in under- 
standing the complexity of the HSP for general groups. There 



are at least three reasons for this. First, the problem is sim- 
ply of fundamental interest: it appears to be a natural setting 
for exploring the extent of the advantage of quantum com- 
puters over classical ones. Second, techniques developed for 
other HSPs may eventually find application to the symmet- 
ric or dihedral groups. Finally, exploring the limitations of 
quantum computers for HSPs may suggest cryptosystems that 
could be robust even to quantum attacks (Hayashi et ai, 2008; 
Kawachi ef aZ., 2005; Moore efaZ., 2007c; Okamoto ef aZ., 
2000; Regev, 2004a). 



B. The standard method 

Nearly all known algorithms for the non-Abelian hidden 
subgroup problem use the black box for / in essentially 
the same way as in the Abelian HSP (Section IV.C). This 
approach has therefore come to be known as the standard 
method. 

In the standard method, we begin by preparing a uniform 
superposition over group elements: 



|G):= 




(128) 



We then compute the value f{x) in an ancilla register, giving 

(129) 



Finally, we discard the second register If we were to measure 
the second register, obtaining the outcome y G 5, then the state 
would be projected onto the uniform superposition of those 
X G G such that f{x) — y, which is simply some left coset of 
H. Since every coset contains the same number of elements, 
each left coset occurs with equal probability. Thus discarding 
the second register yields the coset state 



\xH) := 



with .Y e G uniformly 
random and unknown. 



(130) 



Depending on context, it may be more convenient to view the 
outcome either as a random pure state, or equivalently, as the 
mixed quantum state 



(131) 



xeG 



which we refer to as a hidden subgroup state. In the stan- 
dard approach to the hidden subgroup problem, we attempt to 
determine H using samples of this hidden subgroup state. 

Historically, work on the hidden subgroup problem has fo- 
cused almost exclusively on the standard method. However, 
while this method seems quite natural, there is no general 
proof that it is necessarily the best way to approach the HSP. 
Koiran et al. (2005) showed that the quantum query complex- 
ity of Simon's problem is linear, so that Simon's algorithm 
(using the standard method) is within a constant factor of op- 
timal. This immediately implies an D.{n) lower bound for the 
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HSP in any group that contains the subgroup Z/2"Z. It would 
be interesting to prove similar results for more general groups, 
or to find other ways of evaluating the effectiveness of the 
standard method as compared with more general strategies. 



C. Weak Fourier sampling 

The symmetry of the coset state Eq. (130) (and equivalently, 
the hidden subgroup state Eq. (131)) can be exploited using 
the quantum Fourier transform. In particular, we have 



\xH) = 



n I heH 



(132) 



where R is the right regular representation of G. Thus the 
hidden subgroup state can be written 



1 



G- H 



h.h'eH 



(133) 
(134) 
(135) 



heH 



Since the right regular representation is block-diagonal in the 
Fourier basis, the same is true of pn- In particular, using 
Eq. (125), we have 



^e(/..®o(//r) 



where 



heH 



(136) 
(137) 

(138) 



Since pn is block diagonal, with blocks labeled by irre- 
ducible representations, we may now measure the irrep label 
without loss of information. This procedure is referred to as 
weak Fourier sampling. The probability of observing repre- 
sentation o e G under weak Fourier sampling is 



Pr(o)= |^Tr(/,,®o(//)* 

= 1^ L 5Ca(/l)*, 
I*-"! heH 



(139) 
(140) 



which is precisely times the number of times the 

trivial representation appears in Res^o, the restriction of o 
to H (Hallgren et ai, 2003, Theorem 1.2). We may now ask 
whether polynomially many samples from this distribution are 
sufficient to determine H, and if so, whether H can be recon- 
structed from this information efficiently. 

If G is Abelian, then all of its representations are one- 
dimensional, so weak Fourier sampling reveals all of the avail- 
able information about pn- This information can indeed be 
used to efficiently determine H, as discussed in Section IV.C. 



Weak Fourier sampling succeeds for a similar reason when- 
ever// is a normal subgroup of G (denoted //< G), i.e., when- 
ever gHg-^ = H for all g e G (Hallgren et ai, 2003). In this 
case, the hidden subgroup state within the irrep a G G is pro- 
portional to 



oiH)* 



1 

iGi 



L oighg-'r, 

geCheH 



(141) 



and this commutes with o(x)* for all x G G, so by Schur's 
Lemma (Theorem 4), it is a multiple of the identity. Thus p// 
is proportional to the identity within each block, and again 
weak Fourier sampling reveals all available information about 
H. Indeed, the distribution under weak Fourier sampling is 
particularly simple: we have 



Pr(a) 







H C kero 
otherwise 



(142) 



(a straightforward generalization of the distribution seen in 
step 5 of Algorithm 4), where kero := G G : o(g) = 1} 
denotes the kernel of the representation o. To see this, note 
that if // ^ kero, then there is some h' G H with (s{h') ^ 1; 
but then a{h')a{H) = T.heH<^{h'h) = o{H), and since a(/i') 
is unitary and o{H) is a scalar multiple of the identity, this 
can only be satisfied if in fact o{H) = 0. On the other hand, 
if // C kero, then Xa(/j) = da for all h G H, and the result is 
immediate. 

To find H, we can simply proceed as in the Abelian case: 

Algorithm 9 (Finding a normal hidden subgroup). 
Input: Black box function hiding H ^G. 
Problem: Determine H. 

1. LetKQ -.^G. Fort = \,...J, where T = 0{\og\G\): 

(a) Perform weak Fourier sampling, obtaining an ir- 
rep O, G G. 

(b) LetK, := Kt-i nkero,. 

2. Output Kj. 

To see that this works, suppose that at the f th step, the inter- 
section of the kernels is Kt-i < G with Ki^i ^ H (so that, in 
particular, |A',_i | > 2|//|); then the probability of obtaining an 
irrep a for which Kt-i C kera is (cf. step 6 of Algorithm 4) 



IGI 



\H\ 



o:A',_iCkeia 



< 



1 



(143) 



where we have used the fact that the distribution Eq. (142) re- 
mains normalized if H is replaced by any normal subgroup of 
G. Each repetition of weak Fourier sampling has a probability 
of at least 1/2 of cutting the intersection of the kernels at least 
in half, so we converge to H in (9(log |G|) steps. In fact, ap- 
plying the same approach when H is not necessarily normal in 
G gives an algorithm to find the normal core of H, the largest 
subgroup of H that is normal in G (Hallgren et ai, 2003). 
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This algorithm can be applied to find hidden subgroups in 
groups that are "close to Abelian" a certain sense. In partic- 
ular, Grigni et al. (2004) showed that if k(G), the intersec- 
tion of the normalizers of all subgroups of G, is sufficiently 
lai-ge— specifically, if |G|/|k(G)| = 20(i°g'^'«), such as when 
G = Z/3Z X Z/2"^then the HSP in G can be solved in 
polynomial time. The idea is simply to apply the algorithm 
for normal subgroups to all subgroups containing k(G); the 
union of all subgroups obtained in this way gives the hidden 
subgroup with high probability. This result was subsequently 
improved to give a polynomial-time quantum algorithm when- 
ever |G|/|k(G)| =poly(log|G|) (Gavinsky, 2004). 



D. Strong Fourier sampling 

Despite the examples given in the previous section, weak 
Fourier sampling does not provide sufficient information to re- 
cover the hidden subgroup in the majority of non- Abelian hid- 
den subgroup problems. For example, weak Fourier sampling 
fails to solve the HSP in the symmetric group (Grigni et al, 
2004; Hallgren et al, 2003) and the dihedral group. 

To obtain more information about the hidden subgroup, we 
can perform a measurement on the t/^-dimensional state that 
results when weak Fourier sampling returns the outcome o. 
Such an approach is referred to as strong Fourier sampling. 
From Eq. (137), this c/^-dimensional state is the tensor prod- 
uct of a t/o-dimensional maximally mixed state for the row 
register (as a consequence of the fact that the left and right 
regular representations commute) with some c/o-dimensional 
state pH.a for the column register Since the row register does 
not depend on H, we may discard this register without loss of 
information. In other words, strong Fourier sampling is effec- 
tively faced with the state 



a{H)* 



(144) 



This state is proportional to a projector whose rank is sim- 
ply the number of times the trivial representation appears in 



ResSo*. This follows because 



aiHf= ^ o(M') = |//|a(//), 

h,h'eH 



which gives 



pH.a 



\H\ 



-Ph., 



(145) 



(146) 



so that Ph a is proportional to a projector with rank(p// o) = 
LheHXaihr/\H\. 

It is not immediately clear how to choose a good basis for 
strong Fourier sampling, so a natural first approach is to con- 
sider the effect of measuring in a random basis (i.e., a basis 
chosen uniformly with respect to the Haar measure over C''°). 
There are a few cases in which such random strong Fourier 
sampling is fruitful. For example, Radhakrishnan et al. (2005) 
showed that measuring in a random basis provides sufficient 



information to solve the HSP in the Heisenberg group. Sub- 
sequently, Sen (2006) generalized this result to show that ran- 
dom strong Fourier sampling is information-theoretically suf- 
ficient whenever rank (p//.o) = poly(log |G|) for all a e G (for 
example, when G is the dihedral group), as a consequence of a 
more general result on the distinguishability of quantum states 
using random measurements. 

However, in some cases random strong Fourier sampling is 
unhelpful. For example, Grigni et al. (2004) showed that if 
H is sufficiently small and G is sufficiently non-Abelian (in 
a certain precise sense), then random strong Fourier sampling 
is not very informative. In particular, they showed this for the 
problem of finding hidden involutions in the symmetric group. 
Another example was provided by Moore et al. (2007a), who 
showed that random strong Fourier sampling fails in the meta- 
cyclic groups Z/pZ xi Z/^Z (subgroups of the affine group 
Z/pZ X (Z/pZY) when q < p^-"" for some e > 0. 

Even when measuring in a random basis is information- 
theoretically sufficient, it does not give an efficient quantum 
algorithm; we must consider both the implementation of the 
measurement and the interpretation of its outcomes. We can- 
not efficiently measure in a random basis, but we can instead 
try to find explicit bases in which strong Fourier sampling can 
be performed efficiently, and for which the results solve the 
HSP. The first such algorithm was provided by Moore et al. 
(2007a), for the metacyclic groups Z/pZ xi Z/qZ with q = 
/:>/ poly (log/?). Note that for these values of p,q, unlike the 
case q < p^^^ mentioned above, measurement in a random ba- 
sis is information-theoretically sufficient. Indeed, we do not 
know of any example of an HSP for which strong Fourier sam- 
pling gives an efficient algorithm, yet random strong Fourier 
sampling fails information-theoretically; it would be interest- 
ing to find any such example (or to prove that none exists). 

Of course, simply finding an informative basis is not suf- 
ficient; it is also important that the measurement results can 
be efficiently post-processed. This issue arises not only in 
the context of measurement in a pseudo-random basis, but 
also in the context of certain explicit bases. For example, 
Ettinger and H0yer (2000) gave a basis for the dihedral HSP 
in which a measurement gives sufficient classical information 
to infer the hidden subgroup, but no efficient means of post- 
processing this information is known (see Section VIII.A). 

For some groups, it turns out that strong Fourier sampling 
simply fails. Moore et al. (2005) showed that, regardless of 
what basis is chosen, strong Fourier sampling provides insuf- 
ficient information to solve the HSP in the symmetric group. 
Specifically, they showed that for any measurement basis (in- 
deed, for any POVM on the hidden subgroup states), the dis- 
tributions of outcomes in the cases where the hidden subgroup 
is trivial and where the hidden subgroup is a random involu- 
tion are exponentially close. 



E. Multi-register measurements and query complexity 

Even if we restrict our attention to the standard method, the 
failure of strong Fourier sampling does not necessarily mean 
that the HSP cannot be solved. In general, we need not restrict 
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ourselves to measurements acting on a single hidden subgroup 
state p// at a time; rather, it may be advantageous to measure 
joint observables on p^*^ for k > I. Such an approach could 
conceivably be efficient provided k = poly (log \G\). 

By considering joint measurements of many hidden sub- 
group states at a time, Ettinger ef aZ. (1999, 2004) showed 
that the query complexity of the HSP is polynomial. In other 
words, poly(log \G\) queries of the black box function / suf- 
fice to determine H. Unfortunately, this does not necessar- 
ily mean that the (quantum) computational complexity of the 
HSP is polynomial, since it is not clear in general how to per- 
form the quantum post-processing of p®P°'y('°8l'^l) efficiently. 
Nevertheless, this is an important observation since it already 
shows a difference between quantum and classical computa- 
tion: recall that the classical query complexity of even the 
Abelian HSP is typically exponential. Furthermore, it offers 
some clues as to how we might design efficient algorithms. 

To show that the query complexity of the HSP is polyno- 
mial, it is sufficient to show that the (single-copy) hidden sub- 
group states are pairwise statistically distinguishable, as mea- 
sured by the quantum fidelity 



pH suffice to solve the HSP. The total number of subgroups of 
G is 2'^''°s 1*^1 \ which can be seen as follows. Any group K 
can be specified in terms of at most log2 \K\ generators, since 
every additional (non-redundant) generator increases the size 
of the group by at least a factor of 2. Since every subgroup 
of G can be specified by a subset of at most log-, \G\ ele- 
ments of G, the number of subgroups of G is upper bounded 
by \G\^°Si\G\ = 2(i°g2l'^l>'. Thus k = poly(log|G|) copies of 
Ph suffice to solve the HSP provided the maximum fidelity is 
bounded away from 1 by at least 1 / poly (log |G|). 

To upper bound the fidelity between two states p, p', let Hp 
denote the projector onto the support of p. By considering the 
POVM with elements Hp, 1 — Hp and noting that the classical 
fidelity of the resulting distribution is an upper bound on the 
quantum fidelity, we have 



F(p,p')< JTrRpp' 



(150) 



Now consider the fidelity between pn and p/// for two dis- 
tinct subgroups H,H' < G. Let \H\ > \H'\ without loss of 
generality. We can write Eq. (131) as 



F(p,p'):=Tr|Vpy7l 



(147) 



This follows from a result of Barnum and Knill (2002), who 
showed the following. 

Theorem 3. Suppose p is drawn from an ensemble 
{pi, . . . ,pAf}, where each p; occurs with some fixed prior 
probability pj. Then there exists a quantum measurement (the 
pretty good measurement'") that identifies p with probability 
at least 



l-NjnmxF{pi,Pj) 



(148) 



In fact, by the minimax theorem, this holds even 
without assuming a prior distribution for the ensemble 
(Harrow and Winter, 2006). 

Given only one copy of the hidden subgroup state, Eq. ( 148) 
wiU typically give a trivial bound. However, by taking multi- 
ple copies of the hidden subgroup states, we can ensure that 
the overall states are nearly orthogonal, and hence distinguish- 
able. In particular, since F(p®*,p'®^) =F(p,p')'^, arbitrarily 
small error probability e > can be achieved using 



\H 



(151) 



where Th is a left transversal of H (i.e., a complete set of 
unique representatives for the left cosets of H in G). Since 
Eq. (151) is a spectral decomposition of pn, we have 

np„ = E \xH) {xH\ = 7^ E \xH) {xH\. (152) 
xeTfj I I xeG 



Then we have 



F{pH,pH'y<TrYlp^PH' 
1 



■'u'\\2 



1 ^ IxHHx'H'l^ 



iHnH'l 



H 



< 



(153) 
(154) 

(155) 

(156) 
(157) 



k> 



2(logA'-loge) 



log(l/max,y,F(p,-,p^)) 



(149) 



copies of p. 

Provided that G does not have too many subgroups, and that 
the fidelity between two distinct hidden subgroup states is not 
too close to 1, this shows that polynomially many copies of 



To distinguish tlie states p, with prior probabilities p, , the pretty good mea- 
surement (PGM) uses the measurement operators £, := p,p"'''^p,p^'^^, 
where p := E, p,p, (see for example Hausladen and Wootters (1994)). 



where we have used the fact that 



, ,, llHnH'l ifx-Kx'eHH' 
\xHr\xH'\ = V (158) 



otherwise 



to evaluate 



(159) 



E \xHr^xH'\^ = \G\■\Hr^H'\^ ^HH'] 

= \G\-\H\-\H'\-\HC]H'\. (160) 

This shows that F(p//,p///) < 1 /\/2, thereby establishing that 
the query complexity of the HSP is poly (log \G\). 
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It is possible to obtain tighter bounds on the number of hid- 
den subgroup states needed to solve the HSP. For example. 
Bacon et al. (2006) showed that (1 +o(l))log2A^ hidden sub- 
group states are necessary and sufficient to find a hidden re- 
flection in the dihedral group of order 2N. In a similar vein, 
Hayashi et al. (2008) gave asymptotically tight bounds on the 
number of hidden subgroup states needed to solve the HSP in 
general groups, taking into account both the number of candi- 
date subgroups and their sizes. 

The measurements described in this section are highly 
multi-register: they observe correlated properties of all of 
poly(log|G|) hidden subgroup states at once. Thus they are 
quite far from strong Fourier sampling, in which measure- 
ments are made on only one hidden subgroup state at a time. 
It is natural to ask whether some less entangled measurement 
might also be sufficient for general groups, perhaps measur- 
ing a smaller number of hidden subgroup states at a time, and 
adaptively using those measurement results to decide what 
measurements to make on successive hidden subgroup states. 
However, Hallgren et al. (2006) have shown that this is not al- 
ways the case: in the symmetric group (as well as a few other 
groups such as the general linear group), entangled measure- 
ments on n(log|G|) registers at a time are required to solve 
the HSP. 



F. The Kuperberg sieve 

In this section, we describe an approach developed by 
Kuperberg (2005) that gives a subexponential (though not 
polynomial) time algorithm for the dihedral hidden subgroup 

problem — specifically, it runs in time 2*^' V^^M). 

The dihedral group of order 2N, denoted Dn, is the group 
of symmetries of a regular N-gon. It has the presentation 



Dfj = (r, ilr" = = I, rsr = s 



(161) 



Here r can be viewed as a reflection about some fixed axis, 
and s can be viewed as a rotation by an angle In /N. 

Using the defining relations, we can write any group ele- 
ment in the form s^r^' where x E Z/NZ, and a E TLjTL. Thus 
we can equivalently think of the group as consisting of ele- 
ments (x,fl) e TLjm X TLjTL. Since 



(162) 
(163) 
(164) 



the group operation for such elements can be expressed as 

• {y,b) = (x^{-\Yy,a^b). (165) 

(In particular, this shows that the dihedral group is the semidi- 
rect product Z/A?Z xi<p Z/2Z, where (p : Z/2Z Aut(Z/AfZ) 
is defined by iSf(a){y) = (— l)"y.) It is also easy to see that the 
group inverse is 



The subgroups of are either cyclic or dihedral. The sub- 
groups that are cyclic are of the form ((x,0)) where x E Z/A^Z 
is some divisor of (including x = A^). The subgroups that 
are dihedral are of the form ((x,0), {y, 1)) where x E Z/A^Z 
is some divisor of A^ and y E Z/xZ; in particular, there are 
subgroups of the form ((y, 1)) where y E Z/A^Z. A result of 
Ettinger and H0yer (2000) reduces the general dihedral HSP, 
in which the hidden subgroup could be any of these possibili- 
ties, to the dihedral HSP with the promise that the hidden sub- 
group is of the form {{y, 1)) = {(0,0), {y, 1)}, i.e., a subgroup 
of order 2 generated by the reflection (y, 1 ). ' ' Thus, from now 
on we will assume that the hidden subgroup is of the form 
{{y, 1)) for some y E Z/NZ without loss of generality. 

When the hidden subgroup is H = {{y, 1)), one particular 
left transversal of // in G consists of the left coset representa- 
tives (z,0) for all z E Z/NZ. The coset state Eq. (130) corre- 
sponding to the coset {z,Q)H is 



1 

71 



(|z,0) + b + z,l)). 



(167) 



We saw in Section VII. C that to distinguish coset states in 
general, one should start with weak Fourier sampling: apply 
a Fourier transform over G and then measure the irrep label. 
Equivalently, we can simply Fourier transform the first regis- 
ter over Z/A^Z, leaving the second register alone. When the re- 
sulting measurement outcome k is not or A^/2, this procedure 
is effectively the same as performing weak Fourier sampling, 
obtaining a two-dimensional irrep labeled by either k (for k E 
{!,..., iN/l-] - 1}) or -k (for k E {[N/2\ +1,...,N- 1}), 
with the uniformly random sign of k corresponding to the 
maximally mixed row index, and the remaining qubit state 
corresponding to the column index. For k = Q or N/2, the 
representation is reducible, corresponding to a pair of one- 
dimensional representations. 

Fourier transforming the first register over Z/NZ, we obtain 



>h)\{z,Q)H) 



1 £ <'|^)®i=(|0)+<|l)). 
V A/ keZ/NZ V 2 



(168) 
(169) 



If we then measure the first register, we obtain one of the A^ 
values of k uniformly at random, and we are left with the post- 



(x,fl)-l = {-{-lY'x,a). 



(166) 



" The basic idea of the Ettinger-H0yer reduction is as follows. Suppose 
that / : Dn S hides a subgroup H = ((.t,0), (y, 1)). Then we can 
consider the function / restricted to elements from the Abelian group 
Z/NZ X {0} < Dn. This restricted function hides the subgroup {{x,0)), 
and since the restricted group is Abelian, we can find x efficiently us- 
ing Algorithm 4. Now ((x,0)) < (since (z,a)(x,0)(z,a)"' = (z + 
{-l)''x,a){~{-iyz,a) = ((-l)''x,0) e Z/NZ x {0}), so we can define 
the quotient group Dj^ / ((x,0)). But this is simply a dihedral group (of or- 
der N /x), and if we now define a function /' as / evaluated on some coset 
representative, it hides the subgroup ((v, 1)). 
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measurement state 

|V^):=-^(|0)+<'|1)) (170) 

(dropping an irrelevant global phase that depends on z). Thus 
we are left with the problem of determining y given the ability 
to produce single-qubit states of this form (where k is 
known). Since this procedure is equivalent to dihedral weak 
Fourier sampling, there is no loss of information in processing 
the state to produce Eq. (170). 

It would be useful if we could prepare states with par- 
ticular values of k. For example, given the state |\|/a'/2) = 
-^(jO) + (— 1)-'|1)), we can learn the parity of y (i.e., its least 
significant bit) by measuring in the basis of states |±) := 
(|0) ± |1))/a/2. The main idea of Kuperberg's algorithm is 
to combine states of the form Eq. (170) to produce new states 
of the same form, but with more desirable values of k. 

To combine states, we can use the following procedure. 
Given two states \\\tp) and |\(/^), perform a controlled-not gate 
from the former to the latter, giving 

= 1(10,0) +<|l,0)+<|0,l)+cof+'')|l,l)) (171) 
^i(|0,0)+<|l,l)+<|0,l)+co-;^'^+''>|l,0)) (172) 

= -^(|V;,+„0)+<|Vp-„l)). (173) 

Then a measurement on the second qubit leaves the first qubit 
in the state |\|/p±i:/) (up to an irrelevant global phase), with the 
+ sign occurring when the outcome is and the — sign oc- 
curring when the outcome is 1, each outcome occurring with 
probability 1 /2. 

Note that this combination procedure can be viewed as im- 
plementing the Clebsch-Gordan decomposition, the decom- 
position of a tensor product of representations into its irre- 
ducible constituents. The state indices p and q can be inter- 
preted as labels of irreps of D^, and the extraction of |\|/p±<?) 
can be seen as transforming their tensor product (a reducible 
representation of D^) into one of two irreducible components. 

Now we are ready to describe the algorithm of Kuperberg 
(2005). For simplicity, we will assume from now on that 

= 2" is a power of 2. For such a dihedral group, it is 
actually sufficient to be able to determine the least signifi- 
cant bit of y, since such an algorithm could be used recur- 
sively to determine all the bits of y}'^ Our strategy for do- 



To see this, note that the group Dn contains two subgroups isomorphic to 
namely {(2jr,0), (2a:, 1) : x e Z/(W/2)Z} and {(2jr,0), (2,v + 1, 1) : 
X £ Z/(A'/2)Z}. The hidden subgroup is a subgroup of the former if y has 
even parity, and of the latter if y has odd parity. Thus, once we learn the 
parity of y, we can restrict our attention to the appropriate Z)^ subgroup. 
The elements of either Div/2 subgroup can be represented using only n — 1 
bits, and finding the least significant bit of the hidden reflection within this 
subgroup corresponds to finding the second least significant bit of y in Z)^ . 
Continuing in this way, we can learn all the bits of y with only n iterations 
of an algorithm for finding the least significant bit of the hidden reflection. 



ing this is to start with a large number of states, and collect 
them into pairs |\(/^) that share many of their least sig- 
nificant bits, such that \^p-q) is likely to have many of its 
least significant bits equal to zero. Trying to zero out all but 
the most significant bit in one shot would take exponentially 
long, so instead we proceed in stages, only trying to zero some 
of the least significant bits in each stage; this turns out to 
give an improvement. (This approach is similar to previous 
classical sieve algorithms for learning (Blum et al., 2003) and 
lattice (Ajtaief fl/., 2001) problems, as well as a subsequent 
classical algorithm for average case instances of subset sum 
(Flaxman and Przydatek, 2005).) 

Algorithm 10 (Kuperberg sieve). 

Input: Black box function f ; Di" S hiding {{y, 1)) < D21' 
for some y e Z/2"Z. 

Problem: Determine the least significant bit ofy. 

1. Prepare 0(16'^) coset states of the form Eq. (170), 
where each copy has k € Z/2"Z chosen independently 
and uniformly at random. 

2. For each 7 = 0, 1 , . . . , m — 1 where m : ~ [ Vn 1 > <^ssume 
the current coset states have indices k with at least m j 
of the least significant bits equal to 0. Collect them into 
pairs \\\fp), \\\ftj) that share at least m of the next least 
significant bits, discarding any qubits that cannot be 
paired. Create a state \^p±q) from each pair, and dis- 
card it if the + sign occurs. Notice that the resulting 
states have at least m{j +1) significant bits equal to 0. 

3. The remaining states are of the form |\|/o) and |\|/2n-i). 
Measure one of the latter states in the |±) basis to de- 
termine the least significant bit ofy. 

Since this algorithm requires 

20(v/^) initial queries and pro- 
ceeds through 0{y/n) stages, each of which takes at most 
2''(\/") steps, the overall running time is 2''*^^. 

To show that the algorithm works, we need to prove that 
some qubits survive to the final stage of the process with non- 
negligible probability. Let us analyze a more general version 
of the algorithm to see why we should try to zero out ^Jn bits 
at a time, starting with 2'^''>/"^ states. 

Suppose we try to cancel m bits in each stage, so that there 
are n/m stages (not yet assuming any relationship between m 
and «), starting with 2^ states. Each combination operation 
succeeds with probability 1 /2, and turns two states into one, 
so at each step we retain only about 1 /4 of the states that can 
be paired. Now when we pair states that allow us to cancel 
m bits, there can be at most 2'" unpaired states, since that is 
the number of values of the m bits to be canceled. Thus if 
we ensure that there are at least 2 • 2"' states at each stage, 
we expect to retain at least a 1/8 fraction of the states for the 
next stage. Since we begin with 2^ states,we expect to have at 
least 2^^^^ states left after the y'th stage. Thus, to have 2 • 2"' 
states remaining at the last stage of the algorithm, we require 
2f-3n/'« > 2»'+i, or ^ > OT + 3«/m + 1. This is minimized by 
choosing m « ^Jn, so £ « suffices. 

This analysis is not quite correct because we do not ob- 
tain precisely a 1/8 fraction of the paired states for use in the 
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next stage. For most of the stages, we have many more than 
2 • 2'" states, so nearly all of them can be paired, and the ex- 
pected fraction remaining for the next stage is close to 1 /4. 
Of course, the precise fraction will experience statistical fluc- 
tuations. However, since we are working with a large num- 
ber of states, the deviations from the expected values are very 
small, and a more careful analysis (using the Chernoff bound) 
shows that the procedure succeeds with high probability. For 
a detailed argument, see (Kuperberg, 2005, Sec. 3.1). That pa- 
per also gives an improved algorithm that runs faster and that 
works for general A^. 

Note that this algorithm uses not only superpolynomial 
time, but also superpolynomial space, since all 2®('>/") coset 
states are present at the start. However, by creating a smaller 
number of coset states at a time and combining them accord- 
ing to the solution of a subset sum problem, Regev (2004b) 
showed how to make the space requirement polynomial in n 
with only a slight increase in the running time. 

Although Kuperberg 's algorithm acts on pairs of coset 
states at a time, the overall algorithm effectively implements 
a highly entangled measurement on all 2®' registers, since 
the procedure for producing |v(/p±c/) entangles the coset states 
|x|/p) and |\(/^). The same is true of Regev's polynomial-space 
variant. 

It is natural to ask whether a similar sieve could be applied 
to other HSPs, such as in the symmetric group, for which 
highly entangled measurements are necessary. Alagic et al. 
(2007) adapt Kuperberg's approach to give a subexponential- 
time algorithm for the HSP in G", where G is a fixed non- 
Abelian group. (Note that the HSP in G" can be much harder 
than solving n instances of the HSP in G, since G" has many 
subgroups that are not direct products of subgroups of G.) 
Also, Bacon (2008) showed that an algorithm for the Heisen- 
berg HSP, similar to the one described in Section VII. G be- 
low, can be derived using the Clebsch-Gordan transform over 
the Heisenberg group. It would be interesting to find further 
applications of the approach, especially ones that give new 
polynomial-time algorithms. 

Unfortunately, this kind of sieve does not seem well-suited 
to the symmetric group. In particular, Moore et al. (2007b) 
gave the following negative result for the HSP in S„lS2, where 
the hidden subgroup is promised to be either trivial or an in- 
volution. Consider any algorithm that works by combining 
pairs of hidden subgroup states to produce a new state in 
their Clebsch-Gordan decomposition, and uses the sequence 
of measurement results to guess whether the hidden subgroup 
is trivial or nontrivial. Any such algorithm must use 2^'^'>/") 
queries. Note that this lower bound is only slightly smaller 
than the best known classical algorithm for graph isomor- 
phism, as mentioned in Section VILA. 



G. Pretty good measurement 

Another recent technique for the HSP is based on imple- 
menting the pretty good measurement (PGM) on the hidden 
subgroup states. Recall from Section VILE that for any group 
G, the PGM applied to poly(log|G|) copies of pn identifies 



H with high probability. Thus if we can efficiently implement 
the PGM on sufficiently many copies, we will have found an 
efficient algorithm for the HSP. 

This approach was considered in (Bacon et al, 2005, 2006) 
for certain semidirect product groups A » Z/pZ, where A is 
an Abelian group and p is prime. For these groups, the gen- 
eral HSP can be reduced to the HSP assuming that the hid- 
den subgroup is chosen from a certain subset. Furthermore, 
the PGM turns out to be the optimal measurement for distin- 
guishing the resulting hidden subgroup states, in the sense that 
it maximizes the probability of correctly identifying the hid- 
den subgroup assuming a uniform distribution over the sub- 
groups under consideration (as can be proven using the char- 
acterization of optimal measurement by Holevo (1973) and 
Yuen et al. (1975)). This generalizes the result of (Ip, 2003) 
that Shor's algorithm implements the optimal measurement 
for the Abelian HSP, and suggests that in general, optimal 
measurements may be good candidates for efficient quantum 
algorithms. 

For general groups of the form A xi Z/pZ, the PGM ap- 
proach reveals a connection between the original hidden sub- 
group problem and a related average-case algebraic problem. 
Specifically, the PGM succeeds in distinguishing the hidden 
subgroup states exactly when the average case problem is 
likely to have solutions, and the PGM can be implemented ef- 
ficiently by giving an efficient algorithm for solving the aver- 
age case problem (or more precisely, for approximately quan- 
tum sampling from the set of solutions to the problem). Dif- 
ferent HSPs correspond to different average case problems, 
of varying difficulty. For example, the dihedral HSP corre- 
sponds to the average case subset sum problem (Bacon et al., 
2006), which appears to be hard. But other average case 
problems appearing in the approach are easier, leading to 
efficient algorithms. Certain instances of the Abelian HSP 
give rise to systems of linear equations. For the metacyclic 
HSPs solved in (Moore ef a/., 2007a) (and indeed for some 
additional cases), the average-case problem is a discrete log 
problem, which can be solved using Shor's algorithm as de- 
scribed in Section IV.B. And for the HSP in the Heisenberg 
group 13 {Z/pZy X Z/pZ, and more generally in any semidi- 
rect product [Z/pZy x: Z/pZ, the average case problem is a 
problem of solving polynomial equations, which can be done 
efficiently using Grobner basis techniques provided r = (9(1) 
(Bacon efaZ., 2005). 

Here we briefly summarize the algorithm that results from 
applying the PGM to the HSP in the Heisenberg group, 
since this case exemplifies the general approach. The 
Heisenberg group can be viewed as the semidirect product 

{Z/pZf -A^ZjpZ, where (p : ZjpZ PMl{{Z/pZY) is de- 
fined by (p(c)(fl,fo) = {a + bc,b). Equivalently, it is the group 



' The Heisenberg group is an example of an extraspecial group. 
Ivanyos et al. (2007) give an efficient quantum algoritlim for the HSP in 
any extraspecial group (see Section VIII. C for more details). This subse- 
quent algorithm also makes use of the solution of a system of polynomial 
equations to implement an entangled measurement. 
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of lower triangular 3x3 matrices 

'\ 0^ 

1 I : fl,fe,ce Fp 
\a c 1 



(174) 



over ¥p, or alternatively, the group generated by generalized 
Pauli operators X ,Z E C^^^ satisfying X\x) = |x+ 1 mod p) 
and Z\x) — CoJ,|jc), with elements COpX''Z'. With any of these 
descriptions, the group elements are of the form {a,b,c) with 
a,b,c E TLjpTL, and the group law is 

(a , /7, c) • (a' , , c' ) (fl + fl' + ^'c, Z7 + Zj', c + c') . (175) 

Just as the dihedral HSP can be reduced to the problem of 
finding a hidden reflection (Footnote 11), one can show that 
to solve the general HSP in the Heisenberg group, it is suffi- 
cient to be able to distinguish the following cyclic subgroups 
of order p\ 

H„,h := ((fl,^, 1)> = {{a,b,iy : ; £ Z/pZ}, (176) 

where a,b E Z/pZ. A simple calculation shows that 

{a,b,iy =={xa+{'^b,xb,x). (177) 

Furthermore, the cosets of any such subgroup can be repre- 
sented by the p~ elements (^,ot,0) for i,m E (Z/pZ)^. Thus 
the coset state Eq. (130) can be written 



\{£,m,0)Ha.b) 



1 

VP, 



i+Qb + e,xb + m,j). (178) 



Our goal is to determine the parameters a,b E TLjpTL using 
copies of this state with i,m E TLjpTL occurring uniformly at 
random. 

At this point, we could perform weak Fourier sampling 
over the Heisenberg group without discarding any informa- 
tion. However, as for the dihedral group (Section Vll.F), it 
is simpler to consider an Abelian Fourier transform instead of 
the full non- Abelian Fourier transform. Using the representa- 
tion theory of the Heisenberg group (see for example Terras 
(1999, Chap. 18)), one can show that this procedure is essen- 
tially equivalent to non-Abelian Fourier sampling. 

Fourier transforming the first two registers over [Z.jp'L)^, 
we obtain the state 



1 



CO 



s(l+xa+(^^b)+t{m+xb) 



s.t.x) 



(179) 



Now suppose we measure the values s, t appearing in the first 
two registers. In fact this can be done without loss of informa- 
tion, since the density matrix of the state (mixed over the uni- 
formly random values of l,m) is block diagonal, with blocks 
labeled by i,f. Collecting the coefficients of the unknown pa- 
rameters a,b, the resulting p-dimensional quantum state is 



(180) 



where the values s, f € Ijpl are known, and are obtained uni- 
formly at random. We would like to use samples of this state 
to determine a,b E Ijjpl. 

With only one copy of this state, there is insufficient in- 
formation to recover the hidden subgroup: Holevo's theorem 
(see for example Nielsen and Chuang (2000, Sec. 12.1)) guar- 
antees that a measurement on a /^-dimensional quantum state 
can reliably communicate at most p different outcomes, yet 
there are p^ possible values of {a^b) E (Z/pZ)^. Thus we 
must use at least two copies. 

However, by making a joint measurement on two copies 
of the state, we can recover the information about a,b that 
is encoded in a quadratic function in the phase. To see this, 
consider the state 



\HaMs.t) ® \Ha.,b\ii-^ 



CO' 



aa+|3fo| 



A-,>'GZ/pZ 



where 



a := 



sx + uy 



vy 



(181) 



(182) 
(183) 



and where we suppress the dependence of a,p on i,f,M, v,x,y 
for clarity. If we could replace by |cx, P), then the re- 
sulting state would be simply the Fourier transform of \a,b), 
and an inverse Fourier transform would reveal the solution. 
To work toward this situation we compute the values of a, p 
in ancilla registers, giving the state 



1 

P : 



CO' 



aa+^b\ 



,}',«, P), 



(184) 



and attempt to uncompute the first two registers. 

For fixed values of a, ^,s,t,u,v E TLjpTL, the quadratic equa- 
tions Eqs. (182) and (183) could have zero, one, or two solu- 
tions x^y E Ijjplj. Thus we cannot hope to erase the first and 
second registers by a classical procedure conditioned on the 
values in the third and fourth registers (and the known values 
of i,f,M,v). However, it is possible to implement a quantum 
procedure to erase the first two registers by considering the 
full set of solutions 



E {ZjpZf 



sx- 



uy — a and 

+ tx + u{l)+vy-^ 



(185) 



The state Eq. (184) can be rewritten 



P ^ 



CO" 



,-+P^/l5-;p"'''||5;;:p"-'',a,P). (186) 



Thus, if we could perform a unitary transformation satisfying 



|5;,-'0.-|a,P)for|5-p"'V0 



(187) 



(and defined in any way consistent with unitarity for other 
values of a, p), we could erase the first two registers of 
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Eq. (184),'^ producing the state 



- L 



CO' 



I a^.t .u.v I 



|a,P). 



(188) 



The inverse of the transformation Eq. (187) is called quantum 
sampling because it produces a uniform superposition over the 
set of solutions, a natural quantum analog of random sampling 
from the solutions. 

Since the system of Eqs. (182) and (183) consists of a pair 
of quadratic equations in two variables over F,,, it has either 
zero, one, or two solutions x,y E ¥p. For about half the cases, 
there are zero solutions; for about half the cases, there are 
two solutions; and for a vanishing fraction of the cases, there 
is only one solution. More explicitly, by a straightforward 
calculation, the solutions can be expressed in closed form as 



as + sv — tu± ^/A 
s{s + u) 

au+tu — sv^ 

u{s + u) 



(189) 
(190) 



where 



A:= {2^s + as-a^ -2at)is + u)u + {au + tu-sv)^. (191) 

Provided su{s + u) 7^ 0, the number of solutions is completely 
determined by the value of A. If A is a nonzero square in ¥p, 
then there are two distinct solutions; if A = then there is 
only one solution; and if A is a non-square then there are no 
solutions. In any event, since we can efficiently compute an 
explicit list of solutions in each of these cases, we can effi- 
ciently perform the transformation Eq. (187). 

It remains to show that the state Eq. (188) can be used to 
recover a,b. This state is close to the Fourier transform of 
\a,b) provided the solutions are nearly uniformly distributed. 
Since the values of s,t,u,v are uniformly distributed over ¥p, 
it is easy to see that A is uniformly distributed over F,,. This 
means that A is a square about half the time, and is a non- 
square about half the time (with A = occurring only with 
probability 1 / p). Thus there are two solutions about half the 
time and no solutions about half the time. This distribution of 
solutions is uniform enough for the procedure to work. 

Applying the inverse quantum Fourier transform over 
Z/pZ X Z/pZ, we obtain the state 



(0 



(192) 



Measuring this state, the probability of obtaining the outcome 
k = a and £ = b for any particular values of i, f , m, v is 



1 



(193) 



Note that we can simply apply the transformation Eq. (187) directly to the 
state Eq. (181); there is no need to explicitly compute the values a, p in an 
ancilla register. 



Since those values occur uniformly at random, the overall suc- 
cess probability of the algorithm is 



> 



,12 



E E JKr 



\s,t,ii,veI./pZa.^eZ/pZ 



(194) 



P \a.^&Z/pZ^^"y^) / ^ 

which shows that the algorithm succeeds with probabiUty 
close to 1/2. 

In summary, the efficient quantum algorithm for the HSP in 
the Heisenberg group is as follows: 

Algorithm 11 (Heisenberg HSP). 
Input: Black box function hiding Ha^b- 
Problem: Determine the parameters a,b. 

1. Prepare two coset states, as in Eq. (178). 

2. Perform the QFT F^^pi^Z/pZ on the first two registers 
of each coset state and measure those registers in the 
computational basis, giving Eq. (181). 

3. Perform the inverse quantum sampling transformation 
Eq. (187), giving Eq. (188). 



4. Perform the inverse QFT F, 



t 

ZjpZxZjpZ 



, giving Eq. (192). 



5. Measure the resulting state in the computational basis, 
giving {a,b) with probability 1 /2 — o(l). 

Because the transformation Eq. (187) acts jointly on the two 
registers, the algorithm described above effectively makes an 
entangled measurement on two copies of the hidden subgroup 
state. However, we do not know whether this is the only way 
to give an efficient algorithm for the HSP in the Heisenberg 
group. In particular, recall from Section VII. D that Fourier 
sampling in a random basis provides sufficient information to 
reconstruct the hidden subgroup (Radhakrishnan et al, 2005). 
It would be interesting to know whether there is an efficient 
quantum algorithm using only the statistics of single-register 
measurements, or if no such algorithm exists. It would also 
be interesting to find any group for which Fourier sampling 
does not suffice, even information-theoretically, but for which 
there is an efficient quantum algorithm based on multi-register 
measurements. 

The PGM approach outlined above can also be applied 
to certain state distinguishabiUty problems that do not arise 
from HSPs. In particular, it can be applied to the general- 
ized Abelian hidden shift problem discussed in Section VIII 
(for which the average case problem is an integer program) 
(Childs and van Dam, 2007) and to hidden polynomial prob- 
lems of the form Eq. (230), as discussed in Section IX (for 
which the average case problem is again a system of polyno- 
mial equations) (Decker et al., 2007). 
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VIII. HIDDEN SHIFT PROBLEM 

The hidden shift problem (also known as the hidden trans- 
lation problem) is a natural variant of the hidden subgroup 
problem. Its study has shed light on (and indeed, led to new 
algorithms for) the HSP. Furthermore, the hidden shift prob- 
lem has applications that are of interest in their own right. 

In the hidden shift problem, we are given two injective 
functions fo'.G^S and fi . G ^ S, with the promise that 

Ms) = /i (sg) for some s e G. (196) 

The goal of the problem is to find s, the hidden shift. In the 
non-Abelian hidden shift problem, as in the non-Abelian HSP, 
there is an arbitrary choice of left or right multiplication; here 
we again make the choice of left multiplication. 

When G is Abelian, this problem is equivalent to the 
HSP in G x^Z/2Z (sometimes called the G-dihedral group), 
where the homomorphism cp : Z/2Z Aut(G) is defined by 
9(0) (x) = X and (p(l)(x) = x^'. In particular, the hidden 
shift problem in Z/NZ is equivalent to the dihedral HSP. To 
see this, consider the function / : G xi Z/2Z S defined by 
f{x,b) := fb{x). This function hides the involution ((i, 1)), 
so a solution of the HSP gives a solution of the hidden shift 
problem. Conversely, solving the HSP in G xi Z/2Z with the 
promise that H is an involution is sufficient to solve the HSP in 
general (Footnote 11), so a solution of the hidden shift prob- 
lem gives a solution of the HSP. While no polynomial time 
quantum algorithm is known for the general Abelian hidden 
shift problem, Kuperberg's sieve (Algorithm 10) solves the 

problem in time 2'^'V'°gl'^l), whereas a brute force approach 
takes 2"('°gl<^l^ steps. 

When G is non-Abelian, the inversion map x 1-^ x^ ' is not 
a group automorphism, so we cannot even define a group 
G X (p Z/2Z. However, the hidden shift problem in G is closely 
connected to an HSP, namely in the wreath product group 
GlZ/lZ = (GxG) >^ipZ/2Z, where (^{0){x,y) = (x,y) and 
(p{l){x,y) — {y,x). The hidden shift problem in G reduces to 
the HSP in GlZ/lZ with the hidden subgroup {{s,s-\l)). 
Furthermore, the HSP in G? Z/2Z with hidden subgroups of 
this form reduces to the hidden shift problem in G x G. Thus, 
for families of groups in which G x G is contained in a larger 
group G' from the same family — such as for the symmet- 
ric group, where S,, x S,, < S2n — the hidden shift and hidden 
subgroup problems are essentially equivalent (Hallgren et ai, 

2006) . Moreover, by a similar argument to the one in Sec- 
tion VII. E, the quantum query complexity of the hidden shift 
problem in G is poly(log |G|) even when G is non-Abelian. 

Testing isomorphism of rigid graphs can be cast as a hid- 
den shift problem in the symmetric group. If we let /(7i,0) = 
7t(r) and /(71, 1) = 7t(r'), then the hidden shift is a, where 
r = a(r'). Despite the equivalence between hidden shift and 
hidden subgroup problems, the hidden shift problem in S,, is 
arguably a more natural setting for rigid graph isomorphism 
than the HSP, since every possible hidden shift corresponds 
to a possible isomorphism between graphs, whereas the HSP 
must be restricted to certain subgroups (Childs and Wocjan, 

2007) . 



In this section we describe quantum algorithms for vari- 
ous hidden shift problems. We begin by presenting a single- 
register measurement for the cyclic hidden shift problem (i.e., 
the dihedral HSP) that provides sufficient information to en- 
code the hidden shift. While no efficient way of postprocess- 
ing this information is known, we explain how a similar ap- 
proach leads to an efficient quantum algorithm for the hidden 
shift problem over (Z/pZ)" with p a fixed prime. Since both 
of these problems are Abelian hidden shift problems, they 
could equally well be viewed as HSPs, but we discuss them 
here because the latter is an important ingredient of the or- 
bit coset approach, which uses self-reducibility of a quantum 
version of the hidden shift problem to give efficient quantum 
algorithms for certain hidden subgroup and hidden shift prob- 
lems. Then we describe an algorithm for the shifted Legendre 
symbol problem, a non-injective variant of the dihedral HSP 
that can be solved efficiently, and that also leads to an effi- 
cient quantum algorithm for estimating Gauss sums. Finally, 
we describe a generalization of the hidden shift problem that 
interpolates to an Abelian HSP, and that can be solved ef- 
ficiently in some cases even when the original hidden shift 
problem cannot. 



A. Abelian Fourier sampling for the dihedral HSP 

Consider the HSP in the dihedral group Z/NZ x Z/2Z with 
hidden subgroup ((5,1)) — or equivalently, the hidden shift 
problem in the cyclic group Z/NZ with hidden shift s. Re- 
call from Section VII. F (specifically, Eq. (170)) that the stan- 
dard method, followed by a measurement of the first reg- 
ister in the Fourier basis (over Z/NZ), produces the state 
-|^(|0) + a)^|l)) for some uniformly random measurement 

outcome k E Z/NZ. Now suppose we measure this qubit in 
the basis of states |±) := "j^T, (|0) ^ U)) (i-^-' the Fourier ba- 
sis over Z/2Z); then the outcome '+' occurs with probabil- 
ity cos^(^). Thus, if keep only those measured values of 
k for which the outcome of the second measurement is '+', 
we effectively sample from a distribution over k E Z/NZ with 
Pi{k)=2cos^{^)/N. 

This procedure was proposed by Ettinger and H0yer 
(2000), who showed that 0{logN) samples of the result- 
ing distribution provide sufficient information to determine 
k with high probability. This single-register measurement is 
a much simpler procedure than either the Kuperberg sieve 
(Kuperberg, 2005) or the optimal measurement described in 
(Bacon et al., 2006), both of which correspond to highly en- 
tangled measurements. However, we are left with the problem 
of post-processing the measurement results to infer the value 
of s, for which no efficient procedure is known. 

B. Finding hidden shifts in (Z/pZ)" 

A similar approach can be applied to the hidden shift prob- 
lem in the elementary Abelian p-group (Z/pZ)" with p a 
fixed prime, but in this case the postprocessing can be car- 
ried out efficiently. This result is an important building block 
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in an efficient quantum algorithm for the hidden shift and hid- 
den subgroup problems in certain families of solvable groups 
(Friedl et ai, 2003), as discussed in the next section. 

Consider the hidden shift problem in (Z/pZ)" with hidden 
shift s. Applying the standard method, we obtain the hidden 
shift state 



(197) 



for some unknown z G (Z/pZ)" chosen uniformly at random. 
Now suppose that, as in the measurement for the dihedral 
group described above, we perform Abelian Fourier sampling 
on this state. In other words, we Fourier transform the first 
register over [Z/pZ)" and the second over ZjTL; this gives 



^ ye(7.lpZ)"beZI2Z 



(198) 



Finally, suppose we measure this state in the computational 
basis. A straightforward calculation shows that we obtain the 
outcome (y,0) with probabiHtycos^(^ )//:>" and the outcome 

(y, 1) with probability sin'(2^)//9". Thus, conditioned on ob- 
serving 1 in the second register, we see y in the first register 
with probability 



2 

7" 



Pr(y) = ^sin2^"^'* 



(199) 



In particular, notice that there is zero probability of seeing any 
y G [Z/pZ)" such that y-s = Q mod p: we see only points that 
are not orthogonal to the hidden shift. (This may be contrasted 
with the HSP in [Z/pZ)" with hidden subgroup {s), in which 
Fourier sampling only gives points x G (Z /pZ)" with x-s = 0.) 

We now argue that 0{n) samples from this distribution are 
information-theoretically sufficient to determine the hidden 
shift s. Since we only observe points y that are not orthogonal 
to 5, the observation of y allows us to eliminate the hyper- 
plane y • i = of possible values of s. With enough samples, 
we can eliminate all possible candidate values of s except the 
true value (and scalar multiples thereof). 

For simplicity, suppose we sample uniformly from all y e 
(Z/pZ)" satisfying y-s^Q for the unknown s. While the true 
distribution Eq. (199) is not uniform, it is not far from uni- 
form, so the argument given here can easily be modified to 
work for the true distribution. Consider some fixed candidate 
value s' with s' ^ as for any a G Z/pZ. If y were sampled 
uniformly at random, then s' would be eliminated with prob- 
ability I /p. Sampling uniformly from the subset of points y 
satisfying y ■ s only raises the probability of eliminating 
i', so a randomly sampled y eliminates i' with probability at 
least I /p. Thus after 0{n) samples, the probability of not 
eliminating is exponentially small, and by a union bound, 
the probability of any such s' not being eliminated is upper 
bounded by a constant. 

Unfortunately, given k = 0(«) samples yi,...,yk, we do 
not know how to efficiently determine s. We would like to 
solve the system of inequations yi ■ s ^ Q, . . . ,yii ■ s ^ Q for 
s G {Z/pZy. Using Fermat's little theorem, which says that 



aP^^ = 1 for any a G Z/pZ with a 7^ 0, we can rewrite these 
inequations as a system of polynomial equations {yi ■ s)''^^ = 
• • • = (va • s)''^^ = 1. However, the problem of solving poly- 
nomial equations over a finite field is NP-hard, so we cannot 
hope to solve for s quickly using generic methods. 

This problem is circumvented in (Friedl ef aZ., 2003; 
Ivanyos, 2008) using the idea of linearization. If we treat each 
product of p—l components of,? G {Z/pZ)" as a separate vari- 
able, then we can view (y ■ s)''^^ = 1 as a linear equation over 
a vector space of dimension ) (th^ number of ways of 

choosing p—l items from n items, with replacement and with- 
out regard for ordering). Since this method treats variables as 
independent that are in fact highly dependent, it requires more 
samples to obtain a unique solution. Nevertheless, Friedl et al. 
(2003) show that (9(«''^') samples suffice. Since this method 
only involves linear equations, and the number of equations 
remains poly(n) (recall the assumption that p = C(l)), the re- 
sulting algorithm is efficient. 

A similar approach works for the hidden shift problem in 
(Z///Z)", where p'' is any fixed prime power (Friedl ef aZ., 
2003; Ivanyos, 2008). However, no efficient algorithm is 
known for the case of (Z/mZ)" with m not a prime power, 
even in the smallest case, ni ~ 6. 



C. Self-reducibility, quantum hiding, and the orbit coset 
problem 

By combining the result of the previous section with a 
self-reducible variant of the hidden shift problem, Friedl et al. 
(2003) also give an efficient quantum algorithm for the HSP 
and hidden shift problem in a large family of solvable groups. 
The idea of self-reducibility is as follows. Suppose we could 
reduce the HSP in G to the HSP in subgroups of G, and ap- 
ply such a reduction recursively until the remaining groups 
are either simple enough that the HSP can be solved by some 
known method, or small enough that it can be solved by brute 
force. For example, it would be useful if we could reduce the 
HSP in G to the HSP in and G/N, where N<\G '\s& proper 
normal subgroup of G. No approach of this kind has been 
directly applied to the HSP or the hidden shift problem, but 
this self-reducibility concept has proved fruitful for a quan- 
tum generalization of the hidden shift problem called the orbit 
coset problem. 

Recall that in the standard method for the HSP, we pre- 
pare the uniform superposition |G), query a black-box func- 
tion f : G ^ S satisfying Eq. (126), and discard the result- 
ing function value, producing a uniformly random coset state 
\xH) . More generally, suppose we have some black-box isom- 
etry F satisfying 

F|x) = |x)(8)|(l).v> (200) 
for some set of quantum states {|(|).v) : G G} satisfying 



1 



'yG// 



otherwise. 



(201) 



By analogy to Eq. (126), we say that F is a quantum hiding 
function for H in G. Querying the quantum black box F on 
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the uniform superposition \G) and discarding the second reg- 
ister has the same effect as the standard method: the result is 
a uniformly random coset state \xH) . But the possibility of 
using quantum superpositions for the states offers more 
freedom when constructing reductions. 

One way to produce quantum hiding states {\<^x) ■ x £ G} 
is as follows. Let <I> be an orthonormal set of quantum states, 
and let a : G X <I> ^ <J> be a (left) action of G on <t>. For some 
fixed |(|)) G O, define |(|)v) := a(.x:)(|(|))). Then the isometry 
Eq. (200) is a quantum hiding function for the stabilizer of 
|(|)), the subgroup stab(|(|))) := {x e G : a(x)(|(|))) = |(|))} < G. 
Fixing G, <I>, and a, the stabilizer problem^^ asks us to find a 
generating set for stab(|(|))) given (some number of copies of) 
the state |(|)). 

In the same sense that the stabilizer problem can be viewed 
as an HSP with a quantum hiding function, the orbit coset 
problem is analogous to the hidden shift problem. The orbit 
coset of |(|)o), |(|)i) G 4>is the set {xGG: a(x)(|(|)i)) = |(j)o)}; it 
is either empty or a left coset of stab(|(|)i)) (or equivalently, a 
right coset of \<^o)). In the orbit coset problem (OCP), we are 
given (some number of copies of) |(|)o), G <t>. The goal is 
to decide whether their orbit coset is nonempty, and if so, to 
find both a generating set for stab(|(|)i)) and an elements G G 
such that a(.Y)(|(|)o)) = \<^\). 

It can be shown that for any group G and any solvable nor- 
mal subgroup N <lG, the OCP in G reduces to the OCP in 
G/N and subgroups of (Friedl et al., 2003). While the de- 
tails are beyond the scope of this article, the reduction is based 
on a method for creating a uniform superposition over the or- 
bit of a state |(|)) under the action a, building on a technique 
introduced by Watrous in his algorithms for solvable groups 
(Section IV.G). By combining this with the efficient quantum 
algorithm for the hidden shift problem in {1/p1)" discussed 
in Section VIII. B (which can be straightforwardly adapted to 
an efficient algorithm for orbit coset in (Z//9Z)"), Friedl et al. 
(2003) obtain an efficient quantum algorithm for the hidden 
shift problem in smoothly solvable groups, and for the HSP 
in solvable groups with a smoothly solvable commutator sub- 
group. 

Recently, Ivanyos, Sanselme, and Santha have given al- 
gorithms for the HSP in extraspecial groups (Ivanyos ef aZ., 

2007) and groups of nilpotency class at most 2 (Ivanyos et al, 

2008) . These algorithms use the concept of a quantum hiding 
function introduced above to reduce the problem to an Abelian 
HSP. It would be interesting to develop further applications of 
quantum hiding functions to the HSP, hidden shift, and related 
problems. 



D. Shifted Legendre symbol and Gauss sums 

While no efficient quantum algorithm is known for the 
cyclic hidden shift problem (i.e., the dihedral HSP) for a 



general function /o : 1/N1 S, the problem can be more 
tractable given a hiding function of a particular form. As a 
simple example, the hidden shift problem with the identity 
function /o (x) = x is trivial; but this case is uninteresting as the 
problem can be solved equally well with a classical or quan- 
tum computer However, more interesting examples can be 
constructed if we drop the requirement that /o be injective.'^ 
For example, the Legendre symbol % provides an example of 
a function with an efficient quantum algorithm, but no known 
efficient classical algorithm. 



1 . Shifted Legendre symbol problem 

For a finite field Fp with p an odd prime, the value 
of the Legendre symbol % : ¥p { — 1,0,+1} depends on 
whether X is zero, a nonzero square (i.e., a quadratic residue), 
or a nonsquare (i.e., a quadratic nonresidue) in Fp. It is defined 
by 

{0 x = 
+ 1 3y^0:x=y^ (202) 
— 1 otherwise. 

For example, in F5 we have the values 



X 


12 3 4 




+1 -1 -1 +1 



The Legendre symbol is a multiplicative character, as it is 
easy to verify that x{xy) = x{x)x{y) for all x,y G Fp. This fact 
can be used to show that T.xsFp X{^) = 0- The identity 

=jc(''"')/2 modp (203) 

shows that repeated squaring modulo p can be used to com- 
pute the value x{x) in time poly(log p). 

In the shifted Legendre symbol problem over Fp, we de- 
fine the functions fo{x) := x{x) and fi (x) :~ x{x + s) for all 
i G Fp; the task is to determine the hidden shift s given a black- 
box implementation of the function fi . We emphasize that 
although the functions /o,/i are not injective, this can never- 
theless be viewed as (a relaxed version of) a hidden shift prob- 
lem. The ability to efficiently solve this particular hidden shift 
problem quantum mechanically stems from properties of mul- 
tiplicative functions under the (additive) Fourier transform. 

No efficient classical algorithm for the shifted Legendre 
symbol problem is known. Although one can show that 
(9(log p) random queries to the function x{^ + ^) sufficient 
to obtain enough information to determine s (van Dam, 2002), 



Kitaev (1995) gave an efficient algorithm for the stabilizer problem in the 
case where G is Abelian and the hiding function is classical, prefiguring 
the hidden subgroup framework. 



Dropping this restriction, the quantum query complexity of the hidden shift 
problem may no longer be polynomial; for example, the hidden shift prob- 
lem with /o (^) = 8j is equivalent to unstructured search, which has quan- 
tum query complexity Q,{\/N) (Bennett et al, 1997). 
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it is not clear how to do so efficiently. In fact, the Legen- 
dre sequence x{x) ,x{x + I) , . . . has been proposed as a pseu- 
dorandom function with potential cryptographic applications 
(Damgard, 1990). 

The following quantum algorithm efficiently solves the 
shifted Legendre symbol problem (van Dam et al, 2006): 

Algorithm 12 (Shifted Legendre symbol). 

Input: Black-box function %{x-\- s)for some unknown s € ¥p. 

Problem: Determine the hidden shift s. 

1. Prepare the uniform superposition \¥p) and query the 
function in an ancilla register, giving the state 



1 



£ \x,x{x + s)). 



(204) 



xe¥„ 



2. Measure whether the second register is in the state |0). 
If it is, the first register is left in the state \ — s), and 
measuring it determines s. Otherwise, we are left with 
the state 



1 



(205) 



and we continue. 



3. Apply the unitary operation \x,b) i-^ {—l)''\x,b) andun- 
compute the shifted Legendre symbol, giving the state 



"7= E + 



4. Apply the Fourier transform over ¥p, yielding 
1 



(206) 



(207) 
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where % : ¥p ^ <C is the normalized Fourier transform 
of% (a normalized Gauss sum, cf. Eq. (216)), namely 



(Note that x(0) = and \x{y) \ = lfory e ¥p.) 



(208) 



5. The equality 

Uy) 



-xiyM^) 



L Uxy ') 



(209) 



(210) 



shows that the state Eq. ( 207) is in fact a uniformly 
weighted superposition of the elements of ¥p, where 
the state \y) has a phase proportional to x{y)(Op''^. 
Thus we correct the relative phases by the operation 
\y) ^ X{y)\y) for all y € ¥p, giving the state 



(211) 



6. Perform the Fourier transform over ¥p and measure in 
the computational basis, giving s with probability 1 — 
0{l/p). 

It is easy to see that the above algorithm solves the shifted 
Legendre symbol problem not only over a prime field ¥p, but 
over any finite field F^^. To verify this, we need only com- 
pute the Fourier transform of the quadratic character X ■ l^V ^ 
{-1,0,+1}, namely 



1 



CO, 



Tr(^) 



^x{y)x{^) 



(212) 

(213) 
(214) 



(recall the definition of the Fourier transform over F^, in Sec- 
tion III.D). Indeed, the solution can be generalized to any 
shifted multiplicative character of F^, (van Dam et al, 2006), 
and to any function over that hides a multiplicative sub- 
group of polylogarithmic index (Moore et al, 2007a). 

For the ring Z/A^Z with N ^ p[' x • • • x p^* odd, the gener- 
alization of the Legendre symbol is called the Jacobi symbol 
{■/N) : Z/NZ -> {-1,0,+1}. It is defined as the product 



Pi 



Pk 



(215) 



(where {x/p) :~ x{x) is an alternative notation for the Legen- 
dre symbol that makes the field size explicit). This is again 
a multiplicative character, although its values need not indi- 
cate squares modulo (for example, (2/15) = (2/3) (2/5) = 
(—1)^ = 1, while 2 is not a square modulo 15). Analogous to 
the shifted Legendre symbol problem, one can define a shifted 
Jacobi symbol problem over Z /NZ, which also has an efficient 
quantum algorithm (van Dam et al., 2006). 



2. Estimating Gauss sums 

In the above solution to the shifted Legendre symbol prob- 
lem, we encountered the Fourier transform of the multi- 
plicative character which is a Gauss sum. This naturally 
leads to a quantum algorithm for approximating Gauss sums 
(van Dam and Seroussi, 2002). 

For a finite field F^, a nontrivial multiplicative character % : 
¥y — ^ C, and a nontrivial additive character \\t : ¥g C, the 
Gauss sum is defined as the inner product between these two 
characters: 



xe¥. 



(216) 



It is not hard to show that any Gauss sum has norm | G(x, I = 
so to learn the value of a Gauss sum, it suffices to deter- 
mine the phase (|) e [0,2jt) of G(x,x|/) = e"^. 

There are q—l distinct multiplicative characters : ¥y 
C indexed by a e Z/{q— 1)Z. For a fixed multiplicative 
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generator g of F^^, we have Xaig-') ■= d^ii for all j G Z, 
and Xa(0) 0- Ths q — 2 nontrivial characters are those 
with fl 7^ 0. As the discrete logarithm log^,(g-') = j mod ^ — 1 
can be calculated efficiently with a quantum computer (Sec- 
tion IV.B), we can efficiently induce the phase Xa{g^) by sub- 
tracting the value a j modulo q — I from the state 1 1 ) , giving 



ID 



^ ' ^ yeZ/{g-l)Z 
1 



(217) 



J E (218) 



(0 



yeZ/(g-l)Z 



Xa{g')\g')®\l) 



(219) 
(220) 



(this is sometimes referred to as the phase kickback trick). 
The q additive characters \\tb : F^, ^ C indexed hy b E¥g are 

defined as x|/f,(x) ;= cOp''^'^* for all x E ¥g. The character x|/o is 
trivial, and all 7^ give nontrivial characters. 

With these definitions in place, the Gauss sum estimation 
algorithm is as follows. 

Algorithm 13 (Gauss sum estimation). 

Input; A finite field F^, a nontrivial multiplicative character 
%a {where aG (Z/(^— 1)Z)^ j, and a nontrivial additive char- 
acter \\fi, (where b € )■ 

Problem: Approximate within precision 5 > the angle (|) G 
[0,2n) such that G(Xfl,Vi) = \/?- e'*- 

Perform phase estimation (Section III.C) with precision 5 on 
the following single-qubit unitary operation ( which requires 
applying the operation (9(1/5) times), inputting its eigenstate 
|1) of eigenvalue e"''.- 

1. For an arbitrary input state a|0) + P|l), prepare the 
state in an ancilla register 

2. Using the phase kickback trick described in Eq. (220), 
transform the state to 



1 



? cx|o)® E x:ww+p|i)® E • (221) 



3. Conditional on the qubit being in the state 1 1), multiply 
the ancilla register by b and apply the Fourier transform 
over F^, yielding the state 



(a|0)+x«(^)PI 



1 



= xl(x)\x) {222) 



where 



(223) 



4. Apply the phase rotation \x) t—f Xa(x)\x) to the ancilla 
register, returning it to its original state, and giving 



(a|0)+x«WP|l))®|F; 



(224) 



Discarding the ancilla register, notice that the above 
steps effectively implement the conditional phase shift 
\0)^ \0), |1) i^e'*|l). 

The above quantum algorithm has running time polynomial 
in log^ and 1/5, whereas classical sampling over the q values 
Xa{x)'^ib{x) requires poly(^/5) samples to achieve the same 
quality of approximation. 

Both additive and multiplicative characters can be defined 
over the ring Z/NZ, and there are corresponding Gauss sums 



E 



(225) 



with Xa{xy) = Xa{x)Xa{y) and \\th{x) = (ONbx for all x,y G 
Z/NZ (see the comprehensive book by Berndt et al. (1998)). 
Such Gauss sums over finite rings can be approximated by 
a quantum computer as well, using the above algorithm in a 
relatively straightforward way. 

As Gauss sums occur frequently in the calculation of the 
number of points on hypersurfaces over finite fields (see for 
example Ireland and Rosen (1990)), these same quantum al- 
gorithms can be used to approximately count such points 
with an accuracy that does not seem achievable classically 
(van Dam, 2004). 



E. Generalized hidden shift problem 

Pdlya has advised that "if there is a problem you can't solve, 
then there is an easier problem you can solve: find it" (Polya, 
1945). In that spirit, we conclude our discussion of the hidden 
shift problem by describing a generalization that offers more 
ways to obtain information about the hidden shift. At least in 
the case of cyclic groups, this problem indeed turns out to be 
easier than the original hidden shift problem. 

In the M-generalized hidden shift problem for the group G, 
we are given a hiding function / : {0, . . . ,M — 1} x G ^ 5 
satisfying two conditions: for any fixed j G {0, . . . ,M — 1}, 
f{j,x) is an injective function of jc G G; and for each j G 
{0, . . . ,M- 2}, f{j + l,jc) = fU,sx). For M = 2, this prob- 
lem is equivalent to the usual hidden shift problem, since 
the hiding functions /o,/i can be obtained as fj{x) = f{j,x). 
However, the M-generalized hidden shift problem appears to 
become easier for larger M; it trivially reduces to the M'- 
generalized hidden shift problem with M' < M, but larger 
values of M provide new ways to query the hiding func- 
tion. Note that if i*' = 1, then the M-generalized hidden 
shift problem is equivalent to the HSP in Z/MZ x G with the 
cyclic hidden subgroup ((l,i)). In general, the M-generalized 
hidden shift problem in G reduces to the HSP in Gl Z/MZ 
(Fenner and Zhang, 2008), but notice that this reduction is 
only efficient forM = poly (log |G|). 
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The Abelian generalized hidden shift problem could poten- 
tially be applied to solve lattice problems. Recall from Sec- 
tion Vn.A that the poly («) -unique shortest lattice vector prob- 
lem efficiently reduces to (the standard approach to) the dihe- 
dral HSP. In fact the same holds for the M-generalized hidden 
shift problem in TLj'NTL, provided M — poly(logA^). 

While no efficient algorithm is known for the case where 
M = poly(logA^), efficient algorithms do exist for larger val- 
ues of M. First, notice that the A^-generalized hidden shift 
problem in Z/A^Z is an HSP in TLjNTL x Z/A^Z, which can be 
solved by Abelian Fourier sampling. Essentially the same 
strategy works provided M ~ Q.{N), but fails for sublin- 
ear values of M. However, there is another quantum algo- 
rithm that is efficient provided M > for some fixed e > 
(Childs and van Dam, 2007), based on the pretty good mea- 
surement techniques discussed in Section VII. G. For the 
M-generalized hidden shift problem in Z/NZ, implement- 
ing the PGM reduces to an integer programming problem in 
d = logA^/logM dimensions, which can be solved efficiently 
fort/ = 0(1) (Lenstra, 1983). 

It would also be interesting to consider the generalized hid- 
den shift problem in non-Abelian groups. For example, a so- 
lution of this problem for the symmetric group could be used 
to solve the M-generalized graph isomorphism problem, in 
which we are given M rigid « -vertex graphs rojFi , . . . .Tm-i 
that are either all non-isomorphic, or sequentially isomorphic 
with a fixed isomorphism 7i G Sn, namely — T^iJ^j) for 
y = 0, 1, . . . ,M — 2. For large M, this problem might seem con- 
siderably easier than graph isomorphism, yet no efficient algo- 
rithms for the corresponding generalized hidden shift problem 
are known. Indeed, very little is known about the non-Abelian 
generalized hidden shift problem in general. 



IX. HIDDEN NONLINEAR STRUCTURES 

The non-Abelian hidden subgroup problem (Section VII) 
was originally introduced with the hope of generalizing the 
success of Shor's algorithm. As we have seen, these efforts 
have so far met with only limited success: while polynomial- 
time quantum algorithms are known for the HSP in some 
non-Abelian groups, the cases with significant applications — 
namely, the dihedral and symmetric groups — ^remain largely 
unresolved. Thus there have been several attempts to general- 
ize the Abelian HSP in other ways. The hidden shift problem 
(Section VIII) represents one such attempt. In this section 
we discuss a more radical departure from the HSP, a class of 
problems aimed at finding hidden nonlinear structures. 

Let us return our attention the Abelian HSP — and more 
specifically, to the hidden subgroup problem in the additive 
group of the ^/-dimensional vector space (where denotes 
the finite field with q elements). Then we can view the HSP 
as a problem of identifying a hidden linear structure: the sub- 
groups of the additive group F^^' are precisely its linear sub- 
spaces, and their cosets are parallel affine subspaces, or flats 
(cf. step 4 of Algorithm 3). Thus in this HSP, we are given 
a function that is constant on sets of points specified by lin- 
ear equations, and the goal is to recover certain parameters of 



those equations. It is natural to consider replacing the linear 
function by a polynomial of higher degree. Here we describe 
three such hidden nonlinear structure problems: the hidden 
polynomial problem, shifted subset problems, and polynomial 
Legendre symbol problems. 



A. The hidden polynomial problem 

Perhaps the most straightforward nonlinear generaliza- 
tion of the Abelian HSP is the hidden polynomial problem 
(Childs et ai, 2007). In this problem, the hidden object is a 
polynomial h{x) E ¥g[xi ,Xd]. Generalizing Eq. (42), we 
say that a black box function / : F^^' S (for some finite set 
S) hides the polynomial h{x) if 

f{x) = f{x') if and only if h{x) = h{x') (226) 

for all e . In other words, the function / is constant on 
the level sets 

L'l := h-\y) = {x e F;' : h{x) ^y} (227) 

and distinct on different level sets. The hidden polynomial 
problem is to determine h{x) up to differences that do not af- 
fect its level sets (i.e., up to an overall additive or multiplica- 
tive constant). 

Notice that the polynomial h{x) trivially hides itself. But 
just as there is no a priori relationship between function val- 
ues and cosets in the general HSP, we prefer to assume that the 
association of function values to level sets is arbitrary. Indeed, 
if we were promised that f{x) = h{x), even a classical com- 
puter could solve the hidden polynomial problem efficiently. 
But with no promise on how the level sets are mapped to func- 
tion values, it is not hard to show that the classical randomized 
query complexity of the hidden polynomial problem is expo- 
nential in d\ogq (Childs et ai, 2007), by a similar argument 
as for the Abelian HSP (Simon, 1997). 

With a quantum computer, we can approach the hidden 
polynomial problem by closely following the standard method 
for the HSP (Section VII. B). Querying the function / on 
the uniform superposition |F^) and discarding the resulting 
function value, one is left with the state |L^!) with probabil- 
ity \L'']/q''. Equivalently, the result is the hidden polynomial 
state 

p,:= (228) 

Notice that these states are quite similar to the hidden sub- 
group states Eq. (131), modulo the fact that level sets of a 
polynomial can have different sizes, unlike the cosets of a sub- 
group. Just as we upper bounded the query complexity of the 
HSP by analyzing the statistical distinguishability of the states 
Eq. ( 1 3 1 ), so we can upper bound the query complexity of the 
hidden polynomial problem by doing the same for the states 
Eq. (228). Following a similar argument as in Section VII. E, 



40 



one can show that 



Fiph,Ph'. 



< 



y.y'eW^ 



(229) 



(cf. Eq. (155)). Thus, the hidden polynomial states are pair- 
wise distinguishable provided their level sets do not intersect 
too much. Since almost all polynomials are absolutely irre- 
ducible (i.e., they do not have any nontrivial factors, even 
over an extension of the base field), this suffices to show 
that if the dimension d and the maximum degree of the poly- 
nomials are fixed, then the query complexity of the hidden 
polynomial problem is poly (log ^) for almost all polynomials 
(Childs etal.,2007). 

Moving beyond query complexity, we would like to know 
whether there is an efficient quantum algorithm — i.e., one 
with running time poly (log ^) — for the hidden polynomial 
problem. Just as for the HSP, the most general version of 
this question is currently open. However, suppose we are 
promised that the hidden polynomial has the form 



h{xi,...,Xd)=g{xi, 



-Xd 



(230) 



for some (c/ — l)-variate polynomial g{x\, . . . ,Xd-i) E 
¥ci[xi, . . . ,Xd-i]. (A simple example is the hidden parabola 
problem, in which h{x,y) = <xx^ + ^x — y for some unknown 
a, P € that we would like to determine.) For such a hidden 
polynomial, the level sets are simply translates of each other, 
namely = Lq + (0, . . . , 0,^). Provided the maximum degree 
of the polynomial is at most some fixed constant, there is a 
quantum algorithm that determines li (up to an additive offset) 
in time poly((ilog^) (Decker et ai, 2007). This algorithm is 
based on the pretty good measurement approach described in 
Section VII.G. Recall that the implementation of the PGM 
relies on quantum sampling from the solutions of an average- 
case algebraic problem. For the hidden polynomial problem 
with a polynomial of the form Eq. (230), this problem is a sys- 
tem of polynomial equations, much like the pair of quadratic 
equations Eqs. (182) and (183) that arise in the algorithm for 
the HSP in the Heisenberg group. 



B. Shifted subset problems and exponential sums 

Other families of hidden nonlinear structure problems arise 
in the setting of shifted subset problems. Such problems are 
most naturally stated directly in terms of quantum state dis- 
tinguishability.'^ Suppose that for fixed subsets S,T C- F^', 
we are given the quantum state 15 + 1) (a uniform superposi- 
tion over the elements of 5 + 1), where t is chosen uniformly 



Although the construction is somewhat technical, it is possible to formu- 
late shifted subset problems in terms of a black box from which the state 
ps.T can be efficiently prepared on a quantum computer, but that typically 
must be queried exponentially many times to determine 5, T on a classical 
computer (Childs et al., 2007). 



at random from T. In other words, we are given the mixed 
quantum state 



(231) 



teT 



In the shifted subset problem, the goal is to determine some 
property of 5 or T (or both) using samples of ps.T- 

In (Childs ef fl/., 2007), two examples of shifted subset 
problems are considered in which the set 5 is a li-dimensional 
sphere, i.e., the set of points 



d 

(=1 



(232) 



for some r £ ¥q. In the hidden radius problem, T ~ F^ , and 
the goal is to learn r. In the hidden flat of centers problem, we 
are promised that r = 1, and T is some unknown flat in F^; 
the goal is to determine this flat. 

In general, when T = symmetry ensures that psj is 
diagonal in the Fourier basis. Then the goal is to learn S from 
samples of a distribution given by its Fourier transform (recall 
Section III.D), namely 



Pr(^) 



7'' 151 



CO, 



Tr(fa) 



xeS 
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¥p denotes 



where p is the characteristic of F^^ and Tr : F^^ 
the trace map. In particular, when S = Sr is a (i-dimensional 
sphere, the distribution is proportional to an exponential sum 
known as a Kloosterman sum for d even, or a Salie sum (a kind 
of twisted Kloosterman sum) for d odd. In either case, these 
distributions are information-theoretically distinguishable for 
different values of r. Moreover, a closed form expression for 
Salie sums gives an efficient quantum algorithm for determin- 
ing whether r is a quadratic residue, provided d is odd. 

On the other hand, suppose S is fixed and T is an unknown 
flat (or, more generally, some low-degree surface). If we could 
perform the transformation \S + t) ^ \t), then we could sam- 
ple from points on the flat, and thereby reconstruct it. Unfor- 
tunately, this transformation is generally not unitary, since S 
could intersect with its translates. However, we can attempt 
to approximate such a transformation using the continuous- 
time quantum walk on the Cayley graph of F^' generated by 
S. When S ^ S\, this Cayley graph is known as the Winnie 
Li graph. Its eigenvalues are given by Kloosterman or Salie 
sums, depending on whether d is even or odd. For d odd, the 
explicit expression for Salie sums provides an efficient imple- 
mentation of the quantum walk, which in turn gives an effi- 
cient quantum algorithm for the hidden flat of centers prob- 
lem. 

Of course, it is possible to make many other choices for S 
and T , so the above examples just begin to explore potential 
quantum algorithms for shifted subset problems. However, 
these simple examples already reveal a connection between 
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the calculation of exponential sums ° and the implementation 
of quantum walk that could perhaps be developed further. It 
would also be interesting to find concrete algorithmic applica- 
tions of shifted subset problems. 



C. Polynomial reconstruction by Legendre symbol evaluation 

The quantum algorithm for the shifted Legendre symbol 
problem (Section Vlll.D) recovers the constant term s of a 
linear function f{x) = x + s hidden in the black-box function 
X{f{^)) = X{x + ^)^ where % is the Legendre symbol. As a 
precursor to the efficient quantum algorithm, it was shown 
that the quantum query complexity is (9(1), while the clas- 
sical query complexity is n(log p) (van Dam, 2002). Here we 
discuss the generalization to a nonlinear function f{x) hidden 
in the black-box function x{f{x)). Russell and Shparlinski 
(2004) showed that the quantum query complexity is signif- 
icantly lower than the classical query complexity even in this 
more general case. Whether there exists an efficient quantum 
algorithm to reconstruct the polynomial remains open. 

Let / € Fp[x] be an unknown polynomial. Given a black 
box for x{f{x))), with % the Legendre symbol over Fp, we 
want to reconstruct / using as few queries as possible. Note 
that for any c G F^^, xic^f{x)) = x{f{^))^ making it impos- 
sible to tell the difference between f{x) and c^f{x) on the 
basis of the black box xifi^))- Moreover, if the factoriza- 
tion of f{x) contains a square, i.e., if f{x) = g^{x) ■ h[x), then 
X{f{x)) = Xig^ix))x{h{x)), which is identical to x{h{x)) (ex- 
cept possibly at the zeros of g). Thus we restrict our attention 
to polynomials that are monic and squarefree. 

In the case where f{x) = x + s, the reason that (9(1) quan- 
tum queries suffice is that the states Y.xXi^ + ^)\-^) nearly 
orthogonal for different values of s G Fp. This follows from 
the identity 

Y.Xix + r)xix + s)= {^'^^ (234) 
xe¥i, [-1 ^T^r. 

For polynomials /, g of degree d that are monic and square- 
free, the generalization of this fact is provided by the Weil 
bound (Lidl and Niederreiter, 1997), which implies that 

Y,Xim)->P-d (235) 
L < if f^g. (236) 

Note that for d > y/p/2, Eq. (236) is trivial. However, for 
d < p'/^^^ with e > 0, we find the following. 



Computing exponential sums is also closely related to counting the solu- 
tions of finite field equations. Indeed, Kedlaya's algorithm (Section IV.H) 
can be used to efficiently approximate Kloosterman sums when the field 
characteristic is small (see Childs et al. (2007)). 



Given a black box function where / G Vp[x] is 

an unknown monic, squarefree polynomial of degree d, two 
queries can be used to create the state 

l5C(/)):=4= (237) 

V P x€Vp 

where % is identical to % except that x(0) — 1. (This adjust- 
ment to the Legendre symbol is required to deal with the oth- 
erwise zero amplitudes for the zeros of /.) Using Eqs. (235) 
and (236), it follows that 

|(X(/)|X(^)>I<^- (238) 

Since there are monic polynomials of degree d over Fp, 
Theorem 3 (and specifically, Eq. (149)) shows that there is a 
measurement on 0(d) copies of that determines the d 

unknown coefficients of / with probability 1 — (9(l/p). The 
classical query complexity of this problem can be shown to be 
Q.{d\ogp), which therefore gives a separation between classi- 
cal and quantum query complexity. 

X. APPROXIMATING #P-COMPLETE PROBLEMS 

Recently, there has been considerable interest in quantum 
algorithms for approximately solving various #P-complete 
problems. The first such algorithms were for approximating 
the Jones polynomial; more recently, similar ideas have been 
used to give approximate solutions to other #P-complete prob- 
lems. These algorithms are not as closely related to Shor's as 
most of those discussed in this article, but they are decidedly 
algebraic, relying heavily on group representation theory. 

The Joyies polynomial is a central object in low-dimensional 
topology with surprising connections to physics. Witten 
(1989) showed that the Jones polynomial is closely related 
to topological quantum field theory (TQFT). Freedman et al. 
(2003) investigated the relationship between TQFT and topo- 
logical quantum computing, showing that quantum comput- 
ers can efficiently simulate TQFTs (Freedman ef a/., 2002b), 
and that in fact TQFTs essentially capture the power of 
quantum computation (Freedman et al., 2002a). In particular, 
Freedman et al. (2002b) showed that quantum computers can 
efficiently approximate the Jones polynomial at a fifth root 
of unity. Subsequently, Aharonov et al. (2006) described an 
explicit quantum algorithm for approximating the Jones poly- 
nomial, generalizing to any primitive root of unity (see also 
the work by Wocjan and Yard (2008)). 

To define the Jones polynomial, we must first introduce the 
concepts of knots and links. A knot is an embedding of the 
circle in R^, i.e., a closed loop of string that may wrap around 
itself in any way. More generally, a link is a collection of any 
number of knots that may be intertwined. In an oriented link, 
each loop of string is directed. It is natural to identify links 
that are isotopic, i.e., that can be transformed into one another 
by continuous deformation of the strings. 

The Jones polynomial of an oriented link L is a Laurent 
polynomial Vtit) in the variable -y/F, i.e., a polynomial in \/t 
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and l/\/r. It is a link invariant, meaning that Viit) = V[^i{t) 
if the oriented Unks L and L' are isotopic. While it is possible 
for the Jones polynomial to take the same value on two non- 
isotopic links, it can often distinguish links; for example, the 
Jones polynomials of the two orientations of the trefoil knot 
are different. 

Given an oriented link L, one way to define its Jones poly- 
nomial is as follows (Kauffman, 1987). First, let us define the 
Kauffinan bracket (L), which does not depend on the orienta- 
tion of L. Each crossing in the link diagram can be opened in 
one of two ways, and for any given crossing we have 

(X>=^'/^()(>+^-'/^(X)> (239) 

where the rest of the link remains unchanged. Repeatedly ap- 
plying this rule, we eventually arrive at a link consisting of 
disjoint unknots. The Kauffman bracket of a single unknot is 
(O) := 1, and more generally, the Kauffman bracket of n un- 
knots is (-r'/^ -f"'/^)""'. By itself, the Kauffman bracket 
is not a link invariant, but it can be turned into one by taking 
into account the orientation of the link, giving the Jones poly- 
nomial. For any oriented link L, we define its writhe w{L) as 
the number of crossings of the form minus the number 
of crossings of the form Then the Jones polynomial is 
defined as 

yL(r):=(-ri/4)3»'W(L). (240) 

It is useful to view links as arising from braids. A braid 
is a collection of « parallel strands, with adjacent strands al- 
lowed to cross over or under one another Two braids on the 
same number of strands can be composed by placing them end 
to end. The braid group B„ on n strands is an infinite group 
with generators {oi, . . . ,a„_i}, where a, denotes a twist in 
which strand ; passes over strand ; + 1, interchanging the two 
strands. More formally, the braid group is defined by the rela- 
tions o,o,+iO, = o,+ iO,o,+i and o,0; = OjOi for\i — j\ > 1. 

Braids and links differ in that the ends of a braid are open, 
whereas a link consists of closed strands. We can obtain a link 
from a braid by connecting the ends of the strands in some 
way. One simple way to close a braid is via the trace closure, 
in which the ;th strand of one end is connected to the ;th strand 
of the other end for each ; = !,...,«, without crossing the 
strands. A theorem of Alexander (1923) states that any link 
can be obtained as the trace closure of some braid. 

The Jones polynomial of the trace closure of a braid can be 
expressed in terms of the Markov trace (a weighted variant of 
the usual trace) of a representation of the braid group defined 
over the Temperley-Lieb algebra (Jones, 1985). When evalu- 
ating the Jones polynomial V^it) at the root of unity t = e^"'/*, 
this representation is unitary. This naturally suggests a quan- 
tum algorithm for approximating the Jones polynomial. Sup- 
pose that we can implement unitary operations corresponding 
to twists of adjacent strands on a quantum computer By com- 
posing such operations, we can implement a unitary operation 
corresponding to the entire braid. It remains to approximate 
the Markov trace of this operator 

The trace of a unitary operation U can be approximated on 
a quantum computer using the Hadamard test. If a conditional 



U operation is applied to the state | +) ® |\|/) and the first qubit 
is measured in the |±) basis, where |±) := -^(|0) ± the 

expectation value of the outcome is precisely Re((\(/|C/|i(/)). 
(This is simply the phase estimation procedure described in 
Section III.C with n = I, i.e., with a single bit of precision.) 
Replacing the states |±) by the states | ±i) := -J^dO) ± i| 1)), 

we can approximate Im((\|/|t/|\|/)). Using a maximally mixed 
state as input instead of the pure state \\\t) and sampling suf- 
ficiently many times from the resulting distribution, we can 
obtain an approximation of Re(Tr[/) or Im(Trf/). Similarly, 
we can approximate a weighted trace by sampling from an 
appropriate distribution over pure states. 

Applying this approach to the relevant unitary representa- 
tion of the braid group, one obtains a quantum algorithm for 
approximating the Jones polynomial of the trace closure of a 
braid at a root of unity. In particular, for a braid on n strands, 
with m crossings, and with f — e^'^'/'^, there is an algorithm 
running in time poly(«,m,^) that outputs an approximation 
differing from the actual value VL(f ) of the Jones polynomial 
by at most (2 cos j)"^^ / poly {n,k,ni), with only exponentially 
small probability of failure (Aharonov et ai, 2006). 

Given a braid with an even number of strands, another nat- 
ural way to create a link is called the plat closure. Here, we 
simply join adjacent pairs of strands at each end of the braid. 
The plat closure can be viewed as the trace closure of a braid 
on 2« strands together with 2« additional straight strands. Us- 
ing this fact, we can express the Jones polynomial of the plat 
closure of a braid at f = e^"'/'' as the expectation value of a 
particular unitary representation of the braid group in a pure 
quantum state. Thus the Jones polynomial of the plat closure 
can also be approximated using the Hadamard test, but now 
using a pure input state instead of a mixed one. This gives an 
efficient quantum algorithm for an additive approximation of 
the Jones polynomial of the plat closure of a braid at a root of 
unity (Aharonov et ai, 2006). 

Notice that these algorithms only provide additive ap- 
proximations, meaning that the error incurred by the al- 
gorithm is independent of the value being approximated, 
which is undesirable when that value is small. (In fact, 
note that the additive error increases exponentially with n, 
the number of strands in the braid.) It would be prefer- 
able to obtain a multiplicative approximation, or better still, 
an exact calculation. However, exactly computing the Jones 
polynomial is #P-hard (Jaeger ef a/., 1990), and hence un- 
likely to be possible even with a quantum computer Fur- 
thermore, obtaining the additive approximation achieved by 
(Aharonov er flL, 2006) for the Jones polynomial of the 
plat closure of a braid is as hard as any quantum com- 
putation (Aharonov and Arad, 2006; Bordewich ef a/., 2005; 
Freedman et ai, 2002a; Wocjan and Yard, 2008). 

To implement the quantum algorithm for approximating the 
trace closure of a braid, it is only necessary to have a sin- 
gle pure qubit (the qubit initialized to |+) in the Hadamard 
test), and many mixed ones. Thus it can be carried out in 
the one clean qubit model introduced by Knill and Laflamme 
(1998) to investigate the power of mixed state quantum com- 
putation. In fact, the problem of estimating the Jones polyno- 
mial of the trace closure of a braid at a fifth root of unity (to 
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the precision described above) exactly characterizes the power 
of this model (Jordan and Wocjan, 2008; Shor and Jordan, 
2008), just as the approximation of the plat closure charac- 
terizes general quantum computation. 

We conclude by briefly mentioning various extensions of 
these results. Wocjan and Yard (2008) show how to evalu- 
ate the Jones polynomial of a generalized closure of a braid, 
and how to evaluate a generalization of the Jones polyno- 
mial called the HOMFLYPT polynomial. Recent work of 
Aharonov et al. (2007a) shows how to approximate the Tutte 
polynomial of a planar graph, which in particular gives an ap- 
proximation of the partition function of the Potts model on 
a planar graph; this problem also characterizes the power of 
quantum computation, albeit only for unphysical choices of 
parameters. More generally, there are efficient quantum algo- 
rithms to compute additive approximations of tensor networks 
(Arad and Landau, 2008). 



Acknowledgments 

We thank Sean Hallgren for discussions of algorithms for 
number fields. We also thank Dorit Aharonov, Greg Kuper- 
berg, Frederic Magniez, Cris Moore, Miklos Santha, John 
Watrous, and Pawel Wocjan for comments on a preliminary 
version. This article was written in part while AMC was at 
the Institute for Quantum Information at Caltech, where he 
received support from the National Science Foundation un- 
der grant PHY-456720 and from the Army Research Office 
under grant W91 1 lNF-05-1-0294. AMC was also supported 
in part by MITACS, NSERC, and the US ARO/DTO. WvD 
was supported in part by the Disruptive Technology Office 
(DTO) under Army Research Office (ARO) contract number 
W91 1NF-04-R-0009 and by an NSF CAREER award. 



APPENDIX A: Number Theory 
1. Arithmetic modulo yv 

When performing calculations with integers modulo we 
use the equivalence relation x=y mod if and only if x — y G 
NZ = {. . . , -N,Q,N,2N, . . .}. Often we omit the notation 
' modA^' and instead consider x and y as elements of the ring 
Z/A^Z. Other ways of denoting this ring are Z^v and Z/(A^); in 
this article we use the notation 1/N1, which is conventional 
in computational number theory. Although formally the ele- 
ments of "L/NI are the sets {. . . , -N +x,x,x+N,x + 2N, ...}, 
we often simply represent such an element by the integer x; 
this representation is unique if we require x E {0, . . . , A^ — 1 } . 

Addition modulo A^ corresponds to the additive group 
{Z/NZ, +), which has A^ elements. For example, with N = 2 
we have + = 0, 1 +0 = 0+ 1 = 1, and 1 + 1 = 0. If A^ has 
the prime factorization N = p'y ■■■ p'^ , then the additive group 
Z/A^Z can be decomposed as (Z/p'j'Z) x • • • x (Z/p^*Z). 

Multiplication modulo A^ is more complicated than addi- 
tion as not all elements of Z/A^Z have a multiplicative in- 
verse. For example, 5-5 = 1 mod 6, but there is no element x 



such that 2;t: = 1 mod 6. In general, there exists a y such that 
xy =\ mod A^ if and only if gcd(x,A^) = 1, where gcd(x,A^) is 
the greatest common divisor of x and A^. The set of such in- 
vertible elements of "L/NZ make up the multiplicative group 
[TLjNTD) ^ . It is easy to check that in Z/6Z there are only two 
invertible elements: (Z/6Z)^ = {1,5}. The size of the multi- 
plicative group (Z/A^Z)^ depends on the prime factorization 
of A^; one can show that for N = p\' ■ ■ ■ p[^, 

(p(A^) := \(z/Nzr\= (p, - i)pr' •••(w- l)pr'' (AD 

where cp is called Euler's totient function. Similarly to the ad- 
ditive case, one also has the multiplicative group isomorphism 
(Z/A?Z)^ = (Z/p'i'Z)^ X ••• X {Z/p['ZY. 

By combining the isomorphisms for the additive and 
the multiplicative groups of integers modulo A^, we obtain 
the Chinese remainder theorem. This states that for A^ = 
/7j' • • • p'^ , the bijection between the elements of x e Z/NZ 
and the /t-tuples {xi,...,Xk)e {Z/p\' Z) x • • • x {Z/p['Z) (with 

Xi = X mod p^' for all /) respects both addition and multiplica- 
tion in the ring Z/NZ. This fact often allows us to break up al- 
gebraic problems in Z/NZ into k smaller problems in Z/p'^'Z, 
which can be easier to deal with. 



2. Finite fields and their extensions 

For a prime number p we have (p{p) = p— 1, which means 
that all but the zero element of Z/pZ have a multiplicative 
inverse modulo p. Thus Z/pZ is a finite field, which we de- 
note by ¥p. Just as M is a field that can be extended to C 
by including the solutions to polynomial equations such as 

+ 1 = 0, so can the finite field ¥p be extended to Wpi- for 
any positive integer r. Any finite field has order q = p'' with p 
some prime, and for each prime power p'' there is a finite field 
of that order. Up to isomorphism, this finite field is in fact 
unique, so we can refer to the finite field Fg without ambiguity. 
The additive group of F^r is isomorphic to the additive group 
{Z/pZ)'\ while the multiplicative group V^r is cyclic, and is 
isomorphic to the additive group Zjij/ — 1)Z. Note that Fpi 
is very different from Zjp'^Z for r > 1, as jF^^- 1 =/?''— 1 while 

\{zip^zY\^{p-\)f-\ 

A standard way of explicitly constructing a finite field Fp/ is 
by extending Fp with a formal variable a satisfying 7" (a) = 0, 
where T is an irreducible polynomial of degree r in Fp [a] . The 
finite field Fp/ is isomorphic to the ring of polynomials Fp [a] 
modulo the polynomial r(a), i.e., Fpr = Fp[a]/r(a). 

Example (Construction of Fg). Modulo 2, the polynomial 
T{a) = + OC + 1 is irreducible: T{a) cannot be writ- 
ten as the product of two nontrivial polynomials. Hence 
F2[a\/ [a? + a + 1) is the finite field ¥%. The addition in this 
field is the straightforward addition of quadratic polynomi- 
als modulo 2, such that, for example, {p} + a) + (a^ + 1 ) = 
a+ 1. Multiplication of the elements is slightly more involved, 
but the explicit multiplication table (Table II) confirms that 
F2 [a] / (a^ + a + 1 ) is indeed a field. Note for example that <X 
has multiplicative inverse o? + 1, as a{o? + l) = a-' + a= l 
by the equality a-' + OC + 1 =0. 
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TABLE II The multiplication table of the finite field Fg represented by the elements of F2 [a] / (a-' + a + 1 ) . 



Obviously, Fg contains the subfield F2, but less obviously, 
Fg does not contain F4. In general, F^^j contains the finite field 
if and only if (71 is a power of q2, hence if and only if 
qi = p' ' and q2 ~ p'^ where r2 divides ri . For a finite field F^y 
with q — p'^ and p prime, we call Fp the base field of F^, and 
we call Fpr the degree r extension of the field Fp. By taking 
the limit of arbitrarily high degree r, we obtain the algebraic 
closure Fp of Fp, which is an infinite field. 

Although the construction of an extension field using an ir- 
reducible polynomial makes it easy to explicitly perform cal- 
culations, the procedure soon becomes cumbersome, as Ta- 
ble II already shows. Furthermore, the representation depends 
on the specific polynomial being used, so it introduces a cer- 
tain arbitrariness. Hence, whenever possible, we talk about 
finite fields without specifying a particular representation. 



3. Structure of finite fields 

Starting from the infinite field Fp, the elements of Fp/ can 
be characterized as the q = p'' solutions to the equation .x' = x. 
This immediately implies the above statement that Fpn con- 
tains Fp'2 if and only r2 divides r\ . 

Within the finite field Fpr, the Frobenius automorphism 
(|) : Fp) Fpi- is the map defined by (|)(x) = x^. It is a 
field automorphism, meaning that (|)(x + y) = (|)(x) +(|)(y) and 
^{xy) = (^{x)(^{y) for all x,y E Fpr. Iterating the Frobenius 

automorphism gives the r different maps (|)^ : x 1-^ x^'^ for 
y = 0, 1 , . . . , r — 1, which are all automorphisms of Fp/ . Be- 
cause (|)(fl) = a for all base field elements a G Fp, we see 

that if X £ Fpr is a root of a polynomial F{X) ~ a^iX'' H h 

aiZ + flo G ^p[X] with coefficients in the base field Fp, then 
so are its conjugates as, assuming F(x) = 0, we have 

F{Hx)) = Lia,{(^{x)y - Li^^M = (^{F{x)) = 0. This re- 
sult generalizes to multivariate polynomials F £ ¥p[Xi ,. .. ,X„] 
with roots x = {xi,...,x„) E F^: if F{x) = then also 
F((|)-'(x)) = F{(^j{xi),. . .,(])•'' = 0. Hence the set of so- 
lutions {x e Fp, : F{x) = 0} is invariant under the Frobenius 
automorphism. 



APPENDIX B: Representation Theory of Finite Groups 

In this appendix, we briefly review the theory of group rep- 
resentations needed to study the non-Abelian HSR Here it is 
sufficient to restrict our attention finite groups, and to rep- 
resentations over finite-dimensional complex vector spaces. 
For a more detailed introduction to representation theory, see 
Hamermesh (1989); Serre (1977). 



1. General theory 

A linear representation (or simply representation) of a fi- 
nite group G over the vector space C" is a homomorphism 
a . G ^ GL(C"), i.e., a map from group elements to nonsin- 
gular n x n complex matrices satisfying a{x)a{y) ~ o{xy) for 
all x,y G G. Clearly, a(l) = 1 and o{x^^) = o(x)"^ We say 
that C" is the representation space of a, where n is called its 
dimension (or degree), denoted da- 
Two representations a and a' with representation spaces C" 
are isomorphic (denoted a ^ o') if and only if there is an in- 
vertible linear transformation M E such that Ma{x) = 
a' {x)M for all X e G. (Representations of different dimensions 
cannot be isomorphic.) Every representation is isomorphic to 
a unitary representation, i.e., one for which a(x)^' = o(x)' 
for all X G G. Thus we can restrict our attention to unitary 
representations without loss of generality. 

The simplest representations are those of dimension one, 
such that a{x) e C with \o{x) \ ~ 1 for all x e G. Every group 
has a one-dimensional representation called the trivial repre- 
sentation, defined by a{x) = 1 for all x G G. 

Two particularly useful representations of a group G are 
its left regular representation and its right regular representa- 
tion. Both of these representations have dimension \G\, and 
their representation space is the group algebra CG, i.e., the 
I G| -dimensional complex vector space spanned by basis vec- 
tors |x) for X £ G. The left regular representation L satisfies 
L{x) \y) — \xy), and the right regular representation R satisfies 
R{x)\y) — \yx^^). In particular, both regular representations 
are permutation representations as each consists entirely of 
permutation matrices. 

Given two representations a . G and o' : G ^ V', we 
can define their direct sum, a representation o © a' : G — > V © 
y ' of dimension (io©o' = ^^o + d^' ■ The representation matrices 
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of a © a' are of the form 

(a®a')W=f^W (Bl) 

for all X E G. 

A representation is irreducible if it cannot be decomposed 
as the direct sum of two other representations. Any repre- 
sentation of a finite group G can be written as a direct sum 
of irreducible representations (or irreps) of G. Up to isomor- 
phism, G has a finite number of irreps. The symbol G denotes 
a complete set of irreps of G, one for each isomorphism type. 

Another way to combine two representations is with the 
tensor product. The tensor product of o : G ^ V and o' : 
G ^ y' is O (S) o' : G ^ y (g) y', a representation of dimension 
dfy^ja' — dfydf^i. 

The character of a representation a is the function x^'G^ 
C defined by Xo(jc) :=Tro(.\:). We haveXo(l) =da, ') = 
X{x)*, and x{yx) ~ x(xy) for all x,y £ G. For two representa- 
tions a, o', we have Xam' =Xa + %& and Xam' = Xo ■ X& ■ 

Perhaps the most useful result in representation theory is 
Schur's Lemma, which can be stated as follows: 

Theorem 4 (Schur's Lemma). Let a and a' be two irreducible 
representations of G, and let M G C^'"^''"' be a matrix satis- 
fying a(x)M = Ma'(x) for all x € G. Then ifO'/^o' we have 
M = 0; and if O ~ o', then M is a scalar multiple of the iden- 
tity matrix. 

Schur's Lemma can be used to prove the following orthog- 
onality relation for irreducible representations; 

Theorem 5. For two irreps o,o' G G, we have 

^ ^ o{x)ljo!{x)fj = (B2) 
l^-^l xeG 

where S^ o' 1 if'^ — ^' > andO otherwise. 

In particular, this implies a corresponding orthogonality re- 
lation for the irreducible characters (i.e., the characters of the 
irreducible representations): 

Theorem 6. For two irreps o,o' G G, we have 

(Za,Xo') — |i| L XoC'^TXa'l^) = §a.a'- (B3) 
I'-'l xeG 

Characters provide a simple test for irreducibility. In par- 
ticular, for any representation o, {Xa,Xa) is a positive integer, 
and is equal to 1 if and only if a is irreducible. 

Any representation of G can be broken up into its irre- 
ducible components. The regular representations of G are use- 
ful for understanding such decompositions, since they contain 
every possible irrep of G, each occurring a number of times 
equal to its dimension. In particular, 

L-0(o®l^J, R^^^{l,^®a*), (B4) 
ogG aeG 

where denotes the d x d identity matrix. In fact, this holds 
with the same isomorphism for both L and R, since they are 



commutants of each other The isomorphism is simply the 
Fourier transform over G. For its precise definition, as well 
as a proof that it decomposes the regular representations, see 
Section VI. 

Considering Xt(l) = X«(l) = \G\ and using this decompo- 
sition, we find the well-known identity 

L4 = |G|. (B5) 

Also, noting that Xl{x) — Xr{x) = for any x G G \ {!}, we 
see that 

Y,doXo{x)^0. (B6) 

CT6G 

In general, the multiplicity of the irrep a G G in an arbitrary 
representation T of G is given hy /j^:— {Xa , Xt ) • Then we have 
the decomposition 

T = 0a®l^.. (B7) 

OGG 

The projection onto the a-isotypic subspace of x is given by 

na:=^EXa(xrT(x). (B8) 

xeG 

Any representation a of G can also be viewed as a repre- 
sentation of any subgroup H < G, simply by restricting its 
domain to elements of H. We denote the resulting restricted 
representation by Res^ o. Even when o is irreducible over G, 
it will in general not be irreducible over H. (It is also possible 
to extend any representation a' of H to an induced represen- 
tation Ind^ o' of G, but we will not need the definition here.) 

We conclude with some examples of groups and their irre- 
ducible represenations. 

2. Abelian groups 

The irreducible representations of any finite Abelian group 
are all one-dimensional. (Conversely, any non-Abelian group 
has some irrep of dimension greater than L) 

For a cyclic group G = Z/nZ, all irreps are of the form <3k '■ 
"L/nZ C with (5k{x) := e^^W"^ where k G Z/nZ uniquely 
labels the representation. Hence there are indeed « inequiva- 
lent irreps of Z/«Z, all of dimension \. 

Any finite Abelian group can be written as a direct product 
of cyclic factors, and its irreducible representations are given 
by products of irreps of those factors. For example, the irre- 
ducible representations of the group G = (Z /«Z)^ are given by 
(5k{x) :=e2Tii(kixi+k2X2)/n^ v^hemk^ikuki) e Z/nZ^ uniquely 
labels the irrep. 

3. Dihedral group 

The dihedral group of order 2n is D„ = Z/nZ xi Z/2Z, with 
the group law 

(x,a)-{y,b)^ix+i-iyy,a + b) (B9) 
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for x,y £ Z/nZ and a,b G Z/2Z. 

For « even, we have the following 1 -dimensional represen- 
tations: 



Ott((x,fl)) := 1 

Ots((^,fl)) :=(-!)" 
Ost((x,fl)):=(-l)-'^ 

ass((x,fl)):=(-ir"; 



(BIO) 
(BID 
(B12) 
(B13) 



for « odd, we have only Ott and Ots- The 2-dimensional repre- 
sentations are of the form 



One can easily verify that the projective plane P^(F(,) con- 
sists of + ^ + 1 points, of which lie in the affine plane 
-'^^(Ff,) = {{x,y,l) : {x,y) € F^}; the remaining q+1 points 
are the line at infinity { (x, 1 , 0) : x € F^,} and the point at infin- 
ity {(1,0,0)}. This decomposition can be summarized by the 
equation = U P' = U A' U A°. (For clarity, an affine 
space is often indicated by A"(F(y) rather than by the equiva- 
lent set F,", as the latter suggests a vector space with an origin, 
a concept that plays no role in affine spaces. In this article we 
ignore this subtlety.) 



and 



a/,((x,0)) 



a/,((x,l)) 



-^2nihx/n 







^—Inihx/n 





^—Inihx/n 



^^—Inikx/n 

, 



for some /; e { 1 , 2, . . . , [|] — 1 }. It is straightforward to check 
that these representations are all irreducible and that the sum 
of the dimensions squared gives 2n. 



(B14) 2. Projective curves 

The affine solutions to the polynomial equation f{X,Y) = 
over F(, consist of the set {{x^y) £ : f{x,y) = 0}, but for 
the solutions in the projective plane P^(F^) we must make 
(B15) (ijg following adjustment. To define f{X,Y) in P^, we in- 
troduce a third variable Z that allows us to translate / into 
a homogeneous polynomial, such that if f{x,y,z) = for 
ix,y,z) G F^ \ {(0,0,0)}, then f{'Lx,Xy,Xz) = for all A. G 



APPENDIX C: Curves Over Finite Fields 

Kedlaya's quantum algorithm for counting the number of 
points on a curve over a finite field reUes on several results 
in algebraic geometry. Here we explain some of the central 
concepts that are necessary to understand the algorithm. For 
concreteness, we limit ourselves to the case of planar alge- 
braic curves. Our notation follows (Lorenzini, 1996), a highly 
recommended textbook for more information on this topic. 

Given a bivariate polynomial / G F^ [X , 7] , we can consider 
the solutions to the equation f{x,y) ~ with x,y elements of 
the base field F^ or of an extension field F^r. The set of these 
solutions is the planar curve denoted by Cf{¥g) or C/(F^r), 
respectively. Often we drop the subscript / when it is clear 
from context. 



F^^^ . For example, with f{X,Y)=Y^+X^+X + l,^f/e have 
f{X,Y,Z)=Y^Z + X^+XZ^-+Z^. 

In other words, an algebraic curve C/ in the projective plane 
is defined by a homogeneous polynomial / G ¥q[X,Y,Z], and 
its set of F^r -rational solutions is given by 



Cf {¥,.-) ^{{x:y:z): f{x,y,z) = 0} C fHw,.). 



(C3) 



Notice that for each extension degree r there is a different set 
of solutions Cf{¥yr). Explicit examples of curves are given in 
Sections IV.F and IV.H. 



3. Properties of curves 



Let / G Fcy[X,y,Z] define a planar, projective curve C/. A 
point {x :y : z) £ C/(Fiyi) is called nonsingular if and only if 



1. Affine and projective spaces 

The theory of algebraic equations works more generally if 
we allow points at infinity to be possible solutions as well. 
We frequently work over the projective plane P^, which for a 
given finite field F^r can be expressed as 

P2(F,0 = (F,^,\ {(0,0,0)})/^ (CI) 

where two points are equivalent, {x,y,z) ^ {x\y\z!), if and 
only if there exists a A- G F^^^ such that (Ajc, A,y, A-z) = (x',y,z'). 

These rays in F^ are denoted by {x:y: z), i.e., 

ix:y:z) = {{Ix^yM) : A G F^-} C F^ (C2) 
for all (x,y,z)^ (0,0,0). 



where d f/dX denotes the formal derivative of / with respect 
to X. A projective curve is called smooth if all its points are 
nonsingular. In many ways, curves over finite fields are anal- 
ogous to compact Riemann surfaces. Most importantly, one 
can assign a genus g to a smooth projective curve C/, just as 
one can for a compact Riemann surface. (This is why we use 
the projective curve: the affine curve is not compact.) The 
projective line P', defined by a linear equation such as X = 0, 
has genus 0; elliptic curves, defined by cubic equations, have 
genus 1 ; and in general, a degree d polynomial gives a curve 
with genus g = ^[d — l){d ~2) . The complexity of algorithms 
for curves often depends critically on the genus of the curve, 
and hence on the degree of the defining polynomial /. 
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4. Rational functions on curves 

Similar to the case of Riemann surfaces, the geometric 
properties of a smooth, projective curve are closely related 
to the behavior of rational functions on the same surface. For 
a smooth, projective curve C/ defined by the homogeneous 
polynomial / G F^[X,y,Z], we define the function field of ra- 
tional functions by 

UCf) = {f||^ ■■ deg(^) = deg(/z)|/ ^ (C5) 

with g and h homogenous polynomials in F^^ [X , Y, Z] of iden- 
tical degree, and with equivalence between functions defined 
by 

l4 if,„d„„„if ,c« 

where (/) is the ideal generated by /. Notice that by the re- 
quirement that g and li are of the same degree, we have 

g{Xx,ly,Xz) ^ ^"''^'^ 8{x,y,z) ^ g{x,y,z) 

which shows that g/h is indeed well-defined on the points (x : 
y : z) in the projective space P^(F^). 

It is an important fact that each non-constant rational func- 
tion on Cf has both roots (points where g = 0) and poles 
(h ~ 0), and that the number of roots equals the number of 
poles, counting multiplicity. See Section IV.H for an example 
of the structure of Fg(C/) for an elliptic curve over F2. 
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